# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
7701 |
CVE-2018-18853 |
400 |
|
DoS |
2018-10-31 |
2018-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits. |
7702 |
CVE-2018-18849 |
125 |
|
|
2019-03-21 |
2019-05-31 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. |
7703 |
CVE-2018-18842 |
352 |
|
Exec Code CSRF |
2018-10-30 |
2019-01-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code. |
7704 |
CVE-2018-18841 |
79 |
|
XSS |
2018-10-30 |
2018-12-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexkey parameter. |
7705 |
CVE-2018-18840 |
79 |
|
XSS |
2018-10-30 |
2018-12-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Class=edit&CF=SeoAndTag tag_indexmetatit parameter. |
7706 |
CVE-2018-18839 |
200 |
|
+Info |
2019-06-18 |
2019-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
** DISPUTED ** An issue was discovered in Netdata 1.10.0. Full Path Disclosure (FPD) exists via api/v1/alarms. NOTE: the vendor says "is intentional." |
7707 |
CVE-2018-18838 |
74 |
|
|
2019-06-18 |
2019-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forgery) exists via a %0a sequence in the url parameter to api/v1/registry. |
7708 |
CVE-2018-18837 |
113 |
|
|
2019-06-18 |
2019-06-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. |
7709 |
CVE-2018-18836 |
74 |
|
|
2019-06-18 |
2019-06-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. |
7710 |
CVE-2018-18831 |
22 |
|
Dir. Trav. |
2018-10-30 |
2018-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter. |
7711 |
CVE-2018-18829 |
476 |
|
|
2018-10-30 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
There exists a NULL pointer dereference in ff_vc1_parse_frame_header_adv in vc1.c in Libav 12.3, which allows attackers to cause a denial-of-service through a crafted aac file. |
7712 |
CVE-2018-18828 |
119 |
|
Overflow |
2018-10-30 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
There exists a heap-based buffer overflow in vc1_decode_i_block_adv in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file. |
7713 |
CVE-2018-18827 |
125 |
|
|
2018-10-30 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
There exists a heap-based buffer over-read in ff_vc1_pred_dc in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file. |
7714 |
CVE-2018-18826 |
119 |
|
Overflow |
2018-10-30 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
There exists a heap-based buffer overflow in vc1_decode_p_mb_intfi in vc1_block.c in Libav 12.3, which allows attackers to cause a denial-of-service via a crafted aac file. |
7715 |
CVE-2018-18825 |
79 |
|
XSS |
2018-10-30 |
2018-12-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log. |
7716 |
CVE-2018-18824 |
79 |
|
XSS |
2019-04-25 |
2019-04-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
WolfCMS v0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/. |
7717 |
CVE-2018-18823 |
79 |
|
XSS |
2019-04-25 |
2019-04-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
WolfCMS 0.8.3.1 allows XSS via an SVG file to /?/admin/plugin/file_manager/browse/. |
7718 |
CVE-2018-18820 |
119 |
|
DoS Exec Code Overflow |
2018-11-05 |
2019-01-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution. |
7719 |
CVE-2018-18817 |
668 |
|
|
2018-10-29 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Leostream Agent before Build 7.0.1.0 when used with Leostream Connection Broker 8.2.72 or earlier allows remote attackers to modify registry keys via the Leostream Agent API. |
7720 |
CVE-2018-18816 |
79 |
|
XSS |
2019-03-07 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The repository component of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS contains a persistent cross site scripting vulnerability. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi- Tenancy versions up to and including 7.1.0, and TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. |
7721 |
CVE-2018-18813 |
79 |
|
XSS |
2019-01-16 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The Spotfire web server component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains multiple vulnerabilities that may allow persistent and reflected cross-site scripting attacks. Affected releases are TIBCO Software Inc. TIBCO Spotfire Analytics Platform for AWS Marketplace: versions up to and including 10.0.0, and TIBCO Spotfire Server: versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0. |
7722 |
CVE-2018-18812 |
269 |
|
|
2019-01-16 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace, and TIBCO Spotfire Server contains a vulnerability that might theoretically fail to restrict users with read-only access from modifying files stored in the Spotfire Library, only when the Spotfire Library is configured to use external storage. Affected releases are TIBCO Software Inc.'s TIBCO Spotfire Analytics Platform for AWS Marketplace versions up to and including 10.0.0, and TIBCO Spotfire Server versions up to and including 7.10.1; 7.11.0; 7.11.1; 7.12.0; 7.13.0; 7.14.0; 10.0.0. |
7723 |
CVE-2018-18810 |
255 |
|
+Priv |
2018-12-11 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The Administrator Service component of TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center, and TIBCO Managed File Transfer Internet Server contains vulnerabilities where an authenticated user with specific privileges can gain access to credentials to other systems. Affected releases are TIBCO Software Inc.'s TIBCO Managed File Transfer Command Center: versions up to and including 7.3.2; 8.0.0; 8.0.1; 8.0.2; 8.1.0, and TIBCO Managed File Transfer Internet Server: versions up to and including 7.3.2; 8.0.0; 8.0.1; 8.0.2; 8.1.0. |
7724 |
CVE-2018-18809 |
22 |
|
Dir. Trav. |
2019-03-07 |
2019-09-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: versions up to and including 6.3.4; 6.4.1; 6.4.2; 6.4.21; 7.1.0; 7.2.0, TIBCO JasperReports Library Community Edition: versions up to and including 6.7.0, TIBCO JasperReports Library for ActiveMatrix BPM: versions up to and including 6.4.21, TIBCO JasperReports Server: versions up to and including 6.3.4; 6.4.0; 6.4.1; 6.4.2; 6.4.3; 7.1.0, TIBCO JasperReports Server Community Edition: versions up to and including 6.4.3; 7.1.0, TIBCO JasperReports Server for ActiveMatrix BPM: versions up to and including 6.4.3, TIBCO Jaspersoft for AWS with Multi-Tenancy: versions up to and including 7.1.0, TIBCO Jaspersoft Reporting and Analytics for AWS: versions up to and including 7.1.0. |
7725 |
CVE-2018-18807 |
79 |
|
XSS |
2018-11-26 |
2019-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0. |
7726 |
CVE-2018-18802 |
352 |
|
CSRF |
2019-06-18 |
2019-06-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The Tubigan "Welcome to our Resort" 1.0 software allows CSRF via admin/mod_users/controller.php?action=edit. |
7727 |
CVE-2018-18799 |
352 |
|
CSRF |
2018-11-16 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos. |
7728 |
CVE-2018-18797 |
352 |
|
CSRF |
2018-11-16 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php. |
7729 |
CVE-2018-18794 |
352 |
|
CSRF |
2018-11-16 |
2018-12-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit. |
7730 |
CVE-2018-18790 |
89 |
|
Sql |
2018-10-29 |
2018-12-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
An issue was discovered in zzcms 8.3. SQL Injection exists in admin/special_add.php via a zxbigclassid cookie. (This needs an admin user login.) |
7731 |
CVE-2018-18788 |
89 |
|
Sql |
2018-10-29 |
2018-12-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.) |
7732 |
CVE-2018-18784 |
89 |
|
Sql |
2018-10-29 |
2018-12-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
An issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.) |
7733 |
CVE-2018-18783 |
79 |
|
XSS |
2018-10-29 |
2018-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
XSS was discovered in SEMCMS V3.4 via the semcms_remail.php?type=ok umail parameter. |
7734 |
CVE-2018-18782 |
79 |
|
XSS |
2018-10-29 |
2018-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. |
7735 |
CVE-2018-18781 |
79 |
|
XSS |
2018-10-29 |
2018-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. |
7736 |
CVE-2018-18778 |
200 |
|
+Info |
2018-10-29 |
2018-12-06 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
ACME mini_httpd before 1.30 lets remote users read arbitrary files. |
7737 |
CVE-2018-18777 |
22 |
|
Dir. Trav. Bypass |
2018-11-01 |
2018-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product. |
7738 |
CVE-2018-18776 |
79 |
|
XSS |
2018-11-01 |
2018-12-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product. |
7739 |
CVE-2018-18775 |
79 |
|
XSS |
2018-11-01 |
2018-12-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product. |
7740 |
CVE-2018-18774 |
79 |
|
XSS |
2018-11-20 |
2018-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter. |
7741 |
CVE-2018-18773 |
352 |
|
CSRF |
2018-11-20 |
2018-11-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password. |
7742 |
CVE-2018-18772 |
352 |
|
CSRF |
2018-11-20 |
2018-11-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command. |
7743 |
CVE-2018-18771 |
434 |
|
|
2018-10-29 |
2018-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in LuLu CMS through 2015-05-14. backend\modules\filemanager\controllers\DefaultController.php allows arbitrary file upload by entering a filename, directory name, and PHP code into the three text input fields. |
7744 |
CVE-2018-18765 |
125 |
|
DoS |
2018-10-29 |
2018-12-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in mg_mqtt_next_subscribe_topic. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability. |
7745 |
CVE-2018-18764 |
125 |
|
DoS |
2018-10-29 |
2018-12-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in a parse_mqtt getu16 call. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability. |
7746 |
CVE-2018-18762 |
200 |
|
+Info |
2019-03-21 |
2019-04-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
SaltOS 3.1 r8126 contains a database download vulnerability. |
7747 |
CVE-2018-18760 |
352 |
|
CSRF |
2018-11-16 |
2018-12-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
RhinOS 3.0 build 1190 allows CSRF. |
7748 |
CVE-2018-18759 |
119 |
|
Overflow |
2018-11-16 |
2019-01-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Modbus Slave 7.0.0 in modbus tools has a Buffer Overflow. |
7749 |
CVE-2018-18756 |
119 |
|
Overflow |
2018-11-16 |
2018-12-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Local Server 1.0.9 has a Buffer Overflow via crafted data on Port 4008. |
7750 |
CVE-2018-18754 |
522 |
|
|
2018-10-29 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
ZyXEL VMG3312-B10B 1.00(AAPP.7) devices have a backdoor root account with the [email protected]!Sr0O+ password hash in the etc/default.cfg file. |