The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2018-19226 | An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to list .txt files via a direct request for the /data/0/admin.txt URI. | MEDIUM | Nov 12, 2018 |
CVE-2018-19225 | An issue was discovered in LAOBANCMS 2.0. admin/mima.php has CSRF. | MEDIUM | Nov 12, 2018 |
CVE-2018-19224 | An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies. | MEDIUM | Nov 12, 2018 |
CVE-2018-19223 | An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI. | LOW | Nov 12, 2018 |
CVE-2018-19222 | An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists. | HIGH | Nov 12, 2018 |
CVE-2018-19221 | An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter. | HIGH | Nov 12, 2018 |
CVE-2018-19220 | An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI. | HIGH | Nov 12, 2018 |
CVE-2018-19219 | In LibSass 3.5-stable, there is an illegal address access at Sass::Eval::operator that will lead to a DoS attack. | MEDIUM | Nov 12, 2018 |
CVE-2018-19218 | In LibSass 3.5-stable, there is an illegal address access at Sass::Parser::parse_css_variable_value_token that will lead to a DoS attack. | MEDIUM | Nov 12, 2018 |
CVE-2018-19217 | ** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party. | MEDIUM | Nov 12, 2018 |
CVE-2018-19216 | Netwide Assembler (NASM) before 2.13.02 has a use-after-free in detoken at asm/preproc.c. | MEDIUM | Nov 12, 2018 |
CVE-2018-19215 | Netwide Assembler (NASM) 2.14rc16 has a heap-based buffer over-read in expand_mmac_params in asm/preproc.c for the special cases of the % and $ and ! characters. | MEDIUM | Nov 12, 2018 |
CVE-2018-19214 | Netwide Assembler (NASM) 2.14rc15 has a heap-based buffer over-read in expand_mmac_params in asm/preproc.c for insufficient input. | MEDIUM | Nov 12, 2018 |
CVE-2018-19213 | Netwide Assembler (NASM) through 2.14rc16 has memory leaks that may lead to DoS, related to nasm_malloc in nasmlib/malloc.c. | MEDIUM | Nov 12, 2018 |
CVE-2018-19212 | In libwebm through 2018-10-03, there is an abort caused by libwebm::Webm2Pes::InitWebmParser() that will lead to a DoS attack. | MEDIUM | Nov 12, 2018 |
CVE-2018-19211 | In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a dubious character `*\' in name or alias field detection. | MEDIUM | Nov 12, 2018 |
CVE-2018-19210 | In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset. | MEDIUM | Nov 12, 2018 |
CVE-2018-19209 | Netwide Assembler (NASM) 2.14rc15 has a NULL pointer dereference in the function find_label in asm/labels.c that will lead to a DoS attack. | MEDIUM | Nov 12, 2018 |
CVE-2018-19208 | In libwpd 0.10.2, there is a NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp that will lead to a denial of service attack. This is related to WPXTable.h. | MEDIUM | Nov 12, 2018 |
CVE-2018-19207 | The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018. | HIGH | Nov 12, 2018 |
CVE-2018-19206 | steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | MEDIUM | Nov 12, 2018 |
CVE-2018-19205 | Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. | MEDIUM | Nov 12, 2018 |
CVE-2018-19204 | PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user\'s input in the POST parameter \'proxyport_\' is mishandled. The attacker can craft an HTTP request and override the \'writeresult\' command-line parameter for HttpAdvancedSensor.exe to store arbitrary data in an arbitrary place on the file system. For example, the attacker can create an executable file in the \\Custom Sensors\\EXE directory and execute it by creating EXE/Script Sensor. | HIGH | Nov 12, 2018 |
CVE-2018-19203 | PRTG Network Monitor before 18.2.41.1652 allows remote unauthenticated attackers to terminate the PRTG Core Server Service via a special HTTP request. | MEDIUM | Nov 12, 2018 |
CVE-2018-19202 | A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the \'upsetting[bburl]\' parameter. | MEDIUM | Apr 12, 2019 |
CVE-2018-19201 | A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the \'username\' parameter. | MEDIUM | Apr 12, 2019 |
CVE-2018-19200 | An issue was discovered in uriparser before 0.9.0. UriCommon.c allows attempted operations on NULL input via a uriResetUri* function. | MEDIUM | Nov 12, 2018 |
CVE-2018-19199 | An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication. | HIGH | Nov 12, 2018 |
CVE-2018-19198 | An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the \'&\' character is mishandled in certain contexts. | HIGH | Nov 12, 2018 |
CVE-2018-19197 | An issue was discovered in XiaoCms 20141229. admin\\controller\\database.php allows arbitrary directory deletion via admin/index.php?c=database&a=import&paths[]=../ directory traversal. | MEDIUM | Nov 12, 2018 |
CVE-2018-19196 | An issue was discovered in XiaoCms 20141229. It allows remote attackers to execute arbitrary code by using the type parameter to bypass the standard admin\\controller\\uploadfile.php restrictions on uploaded file types (jpg, jpeg, bmp, png, gif), as demonstrated by an admin/index.php?c=uploadfile&a=uploadify_upload&type=php URI. | HIGH | Nov 12, 2018 |
CVE-2018-19195 | An issue was discovered in XiaoCms 20141229. There is XSS related to the template\\default\\show_product.html file. | MEDIUM | Nov 12, 2018 |
CVE-2018-19194 | An issue was discovered in XiaoCms 20141229. /admin/index.php?c=database allows full path disclosure in a failed to open stream error message. | MEDIUM | Nov 12, 2018 |
CVE-2018-19193 | An issue was discovered in XiaoCms 20141229. There is XSS via the largest input box on the New news screen. | MEDIUM | Nov 12, 2018 |
CVE-2018-19192 | An issue was discovered in XiaoCms 20141229. admin/index.php?c=content&a=add&catid=3 has CSRF, as demonstrated by entering news via the data[content] parameter. | MEDIUM | Nov 12, 2018 |
CVE-2018-19191 | Webmin 1.890 has XSS via /config.cgi?webmin, the /shell/index.cgi history parameter, /shell/index.cgi?stripped=1, or the /webminlog/search.cgi uall or mall parameter. | Low | Mar 21, 2019 |
CVE-2018-19190 | The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the error.php error_msg parameter. | MEDIUM | Nov 14, 2018 |
CVE-2018-19189 | The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement. | MEDIUM | Nov 14, 2018 |
CVE-2018-19188 | The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the success.php fort_id parameter. | MEDIUM | Nov 14, 2018 |
CVE-2018-19187 | The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement. | MEDIUM | Nov 14, 2018 |
CVE-2018-19186 | The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter. | MEDIUM | Nov 14, 2018 |
CVE-2018-19185 | An issue has been found in libIEC61850 v1.3. It is a heap-based buffer overflow in BerEncoder_encodeOctetString in mms/asn1/ber_encoder.c. This is exploitable even after CVE-2018-18834 has been patched, with a different dataSetValue sequence than the CVE-2018-18834 attack vector. | HIGH | Nov 12, 2018 |
CVE-2018-19184 | cmd/evm/runner.go in Go Ethereum (aka geth) 1.8.17 allows attackers to cause a denial of service (SEGV) via crafted bytecode. | MEDIUM | Nov 11, 2018 |
CVE-2018-19183 | ethereumjs-vm 2.4.0 allows attackers to cause a denial of service (vm.runCode failure and REVERT) via a code: Buffer.from(my_code, \'hex\') attribute. | MEDIUM | Nov 11, 2018 |
CVE-2018-19182 | Engelsystem before commit hash 2e28336 allows CSRF. | MEDIUM | Dec 26, 2018 |
CVE-2018-19181 | statics/ueditor/php/vendor/Local.class.php in YUNUCMS 1.1.5 allows arbitrary file deletion via the statics/ueditor/php/controller.php?action=remove key parameter, as demonstrated by using directory traversal to delete the install.lock file. | MEDIUM | Nov 11, 2018 |
CVE-2018-19180 | statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install.lock is not present) allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DB_PREFIX field, which is written to database.php. | HIGH | Nov 11, 2018 |
CVE-2018-19178 | In JEESNS 1.3, com/lxinet/jeesns/core/utils/XssHttpServletRequestWrapper.java allows stored XSS via an HTML EMBED element, a different vulnerability than CVE-2018-17886. | LOW | Nov 11, 2018 |
CVE-2018-19170 | In JPress v1.0-rc.5, there is stored XSS via each of the first three input fields to the starter-tomcat-1.0/admin/setting URI, as demonstrated by the web_name parameter. | LOW | Nov 11, 2018 |
CVE-2018-19168 | Shell Metacharacter Injection in www/modules/save.php in FruityWifi (aka PatatasFritas/PatataWifi) through 2.4 allows remote attackers to execute arbitrary code with root privileges via a crafted mod_name parameter in a POST request. NOTE: unlike in CVE-2018-17317, the attacker does not need a valid session. | HIGH | Nov 10, 2018 |