| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
13151 |
CVE-2018-7674 |
601 |
|
|
2018-03-28 |
2019-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The NetIQ Identity Manager user console, in versions prior to 4.7, is susceptible to URL redirection. |
|
13152 |
CVE-2018-7673 |
|
|
|
2018-03-26 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The NetIQ Identity Manager communication channel, in versions prior to 4.7, is susceptible to a DoS attack. |
|
13153 |
CVE-2018-7668 |
200 |
|
+Info |
2018-03-05 |
2018-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachments/attachmentdownload.php. |
|
13154 |
CVE-2018-7663 |
79 |
|
XSS |
2018-03-05 |
2018-03-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in resources/views/layouts/app.blade.php in Voten.co before 2017-08-25. An unescaped template literal in the bio field of a user profile (resources/views/layouts/app.blade.php) allows for server-side template injection of arbitrary JavaScript. |
|
13155 |
CVE-2018-7662 |
200 |
|
+Info |
2018-03-04 |
2018-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Couch through 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. |
|
13156 |
CVE-2018-7661 |
200 |
|
+Info |
2018-03-04 |
2018-03-29 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
Papenmeier WiFi Baby Monitor Free & Lite before 2.02.2 allows remote attackers to obtain audio data via certain requests to TCP ports 8258 and 8257. |
|
13157 |
CVE-2018-7660 |
79 |
|
XSS |
2018-04-11 |
2018-05-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In OpenText Documentum D2 Webtop v4.6.0030 build 059, a Reflected Cross-Site Scripting Vulnerability could potentially be exploited by malicious users to compromise the affected system via the servlet/Download _docbase or _username parameter. |
|
13158 |
CVE-2018-7659 |
79 |
|
XSS |
2018-04-11 |
2018-05-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In OpenText Documentum D2 Webtop v4.6.0030 build 059, a Stored Cross-Site Scripting Vulnerability could potentially be exploited by malicious users to compromise the affected system via a filename of an uploaded image file. |
|
13159 |
CVE-2018-7658 |
20 |
|
DoS |
2018-03-26 |
2018-04-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
NTSServerSvc.exe in the server in Softros Network Time System 2.3.4 allows remote attackers to cause a denial of service (daemon crash) by sending exactly 11 bytes. |
|
13160 |
CVE-2018-7654 |
22 |
|
Dir. Trav. |
2018-03-03 |
2018-03-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal. |
|
13161 |
CVE-2018-7653 |
79 |
|
XSS |
2018-03-04 |
2019-06-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. |
|
13162 |
CVE-2018-7652 |
79 |
|
XSS |
2018-03-03 |
2018-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
lib/Zonemaster/GUI/Dancer/Export.pm in Zonemaster Web GUI before 1.0.11 has XSS. |
|
13163 |
CVE-2018-7651 |
400 |
|
DoS |
2018-03-03 |
2018-03-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
index.js in the ssri module before 5.2.2 for Node.js is prone to a regular expression denial of service vulnerability in strict mode functionality via a long base64 hash string. |
|
13164 |
CVE-2018-7650 |
79 |
|
XSS |
2018-03-06 |
2018-03-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
PHP Scripts Mall Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS within the "Add New" function for a Management User. Within the "Add New" section, the application does not sanitize user supplied input to the name parameter, and renders injected JavaScript code to the user's browser. This is different from CVE-2018-6878. |
|
13165 |
CVE-2018-7649 |
79 |
|
XSS |
2018-08-02 |
2018-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Monitorix before 3.10.1 allows XSS via CGI variables. |
|
13166 |
CVE-2018-7644 |
347 |
|
|
2018-03-05 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue. |
|
13167 |
CVE-2018-7643 |
190 |
|
DoS Overflow |
2018-03-02 |
2019-04-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The display_debug_ranges function in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, as demonstrated by objdump. |
|
13168 |
CVE-2018-7642 |
476 |
|
DoS |
2018-03-02 |
2019-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The swap_std_reloc_in function in aoutx.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (aout_32_swap_std_reloc_out NULL pointer dereference and application crash) via a crafted ELF file, as demonstrated by objcopy. |
|
13169 |
CVE-2018-7641 |
125 |
|
|
2018-03-02 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image, a different vulnerability than CVE-2018-7588. This is in a "32 bits colors" case, aka case 32. |
|
13170 |
CVE-2018-7640 |
125 |
|
|
2018-03-02 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image, a different vulnerability than CVE-2018-7588. This is in a Monochrome case, aka case 1. |
|
13171 |
CVE-2018-7639 |
125 |
|
|
2018-03-02 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image, a different vulnerability than CVE-2018-7588. This is in a "16 bits colors" case, aka case 16. |
|
13172 |
CVE-2018-7638 |
125 |
|
|
2018-03-02 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image, a different vulnerability than CVE-2018-7588. This is in a "256 colors" case, aka case 8. |
|
13173 |
CVE-2018-7637 |
125 |
|
|
2018-03-02 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image, a different vulnerability than CVE-2018-7588. This is in a "16 colors" case, aka case 4. |
|
13174 |
CVE-2018-7636 |
79 |
|
XSS |
2018-07-03 |
2018-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The URL filtering "continue page" hosted by PAN-OS 8.0.10 and earlier may allow an attacker to inject arbitrary JavaScript or HTML via specially crafted URLs. |
|
13175 |
CVE-2018-7635 |
20 |
|
|
2018-07-03 |
2018-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows an attacker to display a malicious web page with a fake domain name. |
|
13176 |
CVE-2018-7634 |
352 |
|
CSRF |
2018-03-01 |
2018-03-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack mitigation while changing an e-mail address makes it possible to abuse the functionality by attackers. By making a CSRF attack, an attacker could make a victim change his registered e-mail address on the application, leading to account takeover. |
|
13177 |
CVE-2018-7632 |
119 |
|
DoS Overflow |
2018-10-09 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to cause a denial of service attack remotely via a specially crafted GET request with a leading "/" in the URL. |
|
13178 |
CVE-2018-7603 |
79 |
|
XSS |
2019-01-15 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments. |
|
13179 |
CVE-2018-7590 |
352 |
|
CSRF |
2018-03-01 |
2018-03-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CSRF exists in Hoosk 1.7.0 via /admin/users/new/add, resulting in account creation. |
|
13180 |
CVE-2018-7589 |
415 |
|
|
2018-03-01 |
2019-06-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A double free in load_bmp in CImg.h occurs when loading a crafted bmp image. |
|
13181 |
CVE-2018-7588 |
125 |
|
|
2018-03-01 |
2019-10-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. A heap-based buffer over-read in load_bmp in CImg.h occurs when loading a crafted bmp image. |
|
13182 |
CVE-2018-7587 |
119 |
|
Overflow |
2018-03-01 |
2019-06-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in CImg v.220. DoS occurs when loading a crafted bmp image that triggers an allocation failure in load_bmp in CImg.h. |
|
13183 |
CVE-2018-7586 |
22 |
|
Dir. Trav. |
2018-03-01 |
2018-03-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery paths are not secured. |
|
13184 |
CVE-2018-7583 |
20 |
|
DoS |
2018-03-03 |
2018-03-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Proxy.exe in DualDesk 20 allows Remote Denial Of Service (daemon crash) via a long string to TCP port 5500. |
|
13185 |
CVE-2018-7582 |
770 |
|
DoS |
2018-03-09 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991. |
|
13186 |
CVE-2018-7581 |
732 |
|
|
2018-03-09 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
\ProgramData\WebLog Expert\WebServer\WebServer.cfg in WebLog Expert Web Server Enterprise 9.4 has weak permissions (BUILTIN\Users:(ID)C), which allows local users to set a cleartext password and login as admin. |
|
13187 |
CVE-2018-7579 |
89 |
|
Sql |
2018-03-01 |
2018-03-22 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
\application\admin\controller\update_urls.class.php in YzmCMS 3.6 has SQL Injection via the catids array parameter to admin/update_urls/update_category_url.html. |
|
13188 |
CVE-2018-7577 |
20 |
|
|
2019-04-24 |
2019-04-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory. |
|
13189 |
CVE-2018-7576 |
476 |
|
|
2019-04-23 |
2019-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent. |
|
13190 |
CVE-2018-7574 |
125 |
|
|
2019-04-24 |
2019-04-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
Google TensorFlow 1.6.x and earlier is affected by a Null Pointer Dereference vulnerability. The type of exploitation is: context-dependent. |
|
13191 |
CVE-2018-7570 |
476 |
|
DoS |
2018-02-28 |
2018-11-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The assign_file_positions_for_non_load_sections function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an ELF file with a RELRO segment that lacks a matching LOAD segment, as demonstrated by objcopy. |
|
13192 |
CVE-2018-7569 |
190 |
|
DoS Overflow |
2018-02-28 |
2019-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer underflow or overflow, and application crash) via an ELF file with a corrupt DWARF FORM block, as demonstrated by nm. |
|
13193 |
CVE-2018-7568 |
190 |
|
DoS Overflow |
2018-02-28 |
2019-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The parse_die function in dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (integer overflow and application crash) via an ELF file with corrupt dwarf1 debug information, as demonstrated by nm. |
|
13194 |
CVE-2018-7566 |
119 |
|
Overflow |
2018-03-30 |
2019-06-17 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Linux kernel 4.15 has a Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user. |
|
13195 |
CVE-2018-7565 |
352 |
|
CSRF |
2018-03-07 |
2018-03-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CSRF exists on Polycom QDX 6000 devices. |
|
13196 |
CVE-2018-7564 |
79 |
|
XSS |
2018-03-07 |
2018-03-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Stored XSS exists on Polycom QDX 6000 devices. |
|
13197 |
CVE-2018-7563 |
79 |
|
Exec Code XSS |
2018-03-12 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in GLPI through 9.2.1. The application is affected by XSS in the query string to front/preference.php. An attacker is able to create a malicious URL that, if opened by an authenticated user with debug privilege, will execute JavaScript code supplied by the attacker. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. |
|
13198 |
CVE-2018-7562 |
434 |
|
Exec Code |
2018-03-12 |
2018-04-11 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php. |
|
13199 |
CVE-2018-7560 |
20 |
|
DoS |
2018-03-04 |
2018-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service (ReDoS) issue via a crafted multipart/form-data boundary string. |
|
13200 |
CVE-2018-7559 |
320 |
|
|
2018-06-13 |
2019-06-10 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit 2018-04-12, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit 2018-03-13. A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack. |
