The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-17416 | A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter. | MEDIUM | Mar 22, 2019 |
| CVE-2018-17415 | zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter. | MEDIUM | Mar 22, 2019 |
| CVE-2018-17414 | zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter. | MEDIUM | Mar 22, 2019 |
| CVE-2018-17413 | XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter. | MEDIUM | Mar 22, 2019 |
| CVE-2018-17412 | zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header. | HIGH | Mar 22, 2019 |
| CVE-2018-17411 | An XML External Entity (XXE) vulnerability exists in iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20. | HIGH | Sep 26, 2018 |
| CVE-2018-17410 | Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI. | HIGH | Sep 26, 2018 |
| CVE-2018-17408 | Stack-based buffer overflows in Zahir Accounting Enterprise Plus 6 through build 10b allow remote attackers to execute arbitrary code via a crafted CSV file that is accessed through the Import CSV File menu. | MEDIUM | Oct 3, 2018 |
| CVE-2018-17407 | An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex. | MEDIUM | Sep 26, 2018 |
| CVE-2018-17404 | The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Android might allow an attacker to sniff private information such as mobile number, PAN number (from a government-issued ID), and date of birth. | LOW | Sep 27, 2018 |
| CVE-2018-17403 | ** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to impersonate a user and set up their account without their knowledge. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots. | MEDIUM | Oct 3, 2019 |
| CVE-2018-17402 | ** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots. | LOW | Nov 8, 2018 |
| CVE-2018-17401 | ** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots. | MEDIUM | Nov 8, 2018 |
| CVE-2018-17400 | ** DISPUTED ** The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots. | LOW | Oct 3, 2019 |
| CVE-2018-17399 | SQL Injection exists in the Jimtawl 2.2.7 component for Joomla! via the id parameter. | HIGH | Jun 20, 2019 |
| CVE-2018-17398 | SQL Injection exists in the AMGallery 1.2.3 component for Joomla! via the filter_category_id parameter. | HIGH | Jun 20, 2019 |
| CVE-2018-17397 | SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17394 | SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17393 | SQL Injection exists in HealthNode Hospital Management System 1.0 via the id parameter to dashboard/Patient/info.php or dashboard/Patient/patientdetails.php. | HIGH | Jun 20, 2019 |
| CVE-2018-17391 | SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via the author parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17389 | CSRF exists in server.php in Live Call Support Application 1.5 for adding an admin account. | MEDIUM | Jun 20, 2019 |
| CVE-2018-17388 | SQL Injection exists in Twilio WEB To Fax Machine System 1.0 via the email or password parameter to login_check.php, or the id parameter to add_email.php or edit_content.php. | HIGH | Jun 20, 2019 |
| CVE-2018-17387 | CSRF exists in Nimble Messaging Bulk SMS Marketing Application 1.0 for adding an admin account. | MEDIUM | Jun 21, 2019 |
| CVE-2018-17386 | SQL Injection exists in the Micro Deal Factory 2.4.0 component for Joomla! via the id parameter, or the PATH_INFO to mydeals/ or listdeals/. | HIGH | Jun 21, 2019 |
| CVE-2018-17385 | SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17384 | SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17383 | SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17382 | SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! via the filter_letter parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17381 | SQL Injection exists in the Dutch Auction Factory 2.0.2 component for Joomla! via the filter_order_Dir or filter_order parameter. | HIGH | Jun 20, 2019 |
| CVE-2018-17380 | SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17379 | SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17378 | SQL Injection exists in the Penny Auction Factory 2.0.4 component for Joomla! via the filter_order_Dir or filter_order parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17377 | SQL Injection exists in the Questions 1.4.3 component for Joomla! via the term, userid, users, or groups parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17376 | SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17375 | SQL Injection exists in the Music Collection 3.0.3 component for Joomla! via the id parameter. | HIGH | Sep 28, 2018 |
| CVE-2018-17374 | SQL Injection exists in the Auction Factory 4.5.5 component for Joomla! via the filter_order_Dir or filter_order parameter. | HIGH | Jun 20, 2019 |
| CVE-2018-17369 | An issue was discovered in springboot_authority through 2017-03-06. There is stored XSS via the admin/role/edit roleKey, name, or description parameter. | LOW | Sep 23, 2018 |
| CVE-2018-17368 | An issue was discovered in PublicCMS V4.0.180825. For an invalid login attempt, the response length is different depending on whether the username is valid, which makes it easier to conduct brute-force attacks. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17366 | An issue was discovered in MCMS 4.6.5. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17365 | SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter. | MEDIUM | Sep 26, 2018 |
| CVE-2018-17364 | OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via the accBackupDir parameter. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17361 | Multiple XSS vulnerabilities in WeaselCMS v0.3.6 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php because $_SERVER['PHP_SELF'] is mishandled. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17360 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. a heap-based buffer over-read in bfd_getl32 in libbfd.c allows an attacker to cause a denial of service through a crafted PE file. This vulnerability can be triggered by the executable objdump. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17359 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in bfd_zalloc in opncls.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17358 | An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory access exists in _bfd_stab_section_find_nearest_line in syms.c. Attackers could leverage this vulnerability to cause a denial of service (application crash) via a crafted ELF file. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17341 | BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a .. substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/.. URI. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17338 | An issue has been found in pdfalto through 0.2. It is a heap-based buffer overflow in the function TextPage::dump in XmlAltoOutputDev.cc. | MEDIUM | Sep 23, 2018 |
| CVE-2018-17337 | Intelbras NPLUG 1.0.0.14 devices have XSS via a crafted SSID that is received via a network broadcast. | MEDIUM | Oct 10, 2018 |
| CVE-2018-17336 | UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings. | MEDIUM | Sep 27, 2018 |
| CVE-2018-17334 | An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated. | HIGH | Sep 22, 2018 |
