68231 matches found
Jolokia 1.3.7 - Cross-Site Scripting
Jolokia 1.3.7 is vulnerable to cross-site scripting in the HTTP servlet and allows an attacker to execute malicious JavaScript in the victim's browser. id: CVE-2018-1000129 info: name: Jolokia 1.3.7 - Cross-Site Scripting author: mavericknerd,0h1in9e,daffainfo severity: medium description: |...
Schneider Electric U.motion Builder - SQL Injection
The vulnerability exists within processing of trackimportexport.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the objectid input parameter. id: CVE-2018-7765 info: name: Schneider Electric U.motion...
WordPress Localize My Post 1.0 - Local File Inclusion
WordPress Localize My Post 1.0 is susceptible to local file inclusion via the ajax/include.php file parameter. id: CVE-2018-16299 info: name: WordPress Localize My Post 1.0 - Local File Inclusion author: 0xAkoko,0x240x23elu severity: high description: | WordPress Localize My Post 1.0 is susceptib...
SolarWinds Database Performance Analyzer 11.1.457 - Cross-Site Scripting
SolarWinds Database Performance Analyzer 11.1.457 contains a reflected cross-site scripting vulnerability in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI. id: CVE-2018-19386 info: nam...
CouchCMS <= 2.0 - Path Disclosure
CouchCMS = 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. id: CVE-2018-7662 info: name: CouchCMS = 2.0 - Path Disclosure author: ritikchaddha severity: medium description: CouchCMS = 2.0 allows...
Apache2 - Transfer-Encoding Chunked XSS
Apache2 PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 contain a reflected cross-site scripting vulnerability caused by mishandling of chunked transfer-encoding requests in sapi/apache2handler/sapiapache2.c. Attackers can execute malicious scripts via crafted...
Gogs (Go Git Service) 0.11.66 - Remote Code Execution
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron. id: CVE-2018-18925 info: name: Go...
DomainMOD 4.11.01 - Cross-Site Scripting
DomainMOD through version 4.11.01 is vulnerable to cross-site scripting via the /assets/add/category.php CatagoryName and StakeHolder parameters. id: CVE-2018-20011 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD through version...
Cybrotech CyBroHttpServer 1.0.3 - Local File Inclusion
Cybrotech CyBroHttpServer 1.0.3 is vulnerable to local file inclusion in the URI. id: CVE-2018-16133 info: name: Cybrotech CyBroHttpServer 1.0.3 - Local File Inclusion author: 0xAkoko severity: medium description: Cybrotech CyBroHttpServer 1.0.3 is vulnerable to local file inclusion in the URI...
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the albumid parameter in the /photo-gallery/api/album/treelists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further...
CirCarLife <4.3 - Improper Authentication
CirCarLife before 4.3 is susceptible to improper authentication. A system software information disclosure exists due to lack of authentication for /html/device-id. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-16671 info: name:...
D-Link Routers - Local File Inclusion
D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /...
WordPress Ninja Forms <3.3.18 - Cross-Site Scripting
WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begindate, enddate, or formid parameters. This can allow an attacker to steal cookie-based authentication credentials a...
uWSGI PHP Plugin Local File Inclusion
uWSGI PHP Plugin before 2.0.17 mishandles a DOCUMENTROOT check during use of the --php-docroot option, making it susceptible to local file inclusion. id: CVE-2018-7490 info: name: uWSGI PHP Plugin Local File Inclusion author: madrobot severity: high description: uWSGI PHP Plugin before 2.0.17...
LG-Ericsson iPECS NMS 30M - Local File Inclusion
Ericsson-LG iPECS NMS 30M allows local file inclusion via ipecs-cm/download?filename=../ URIs. id: CVE-2018-15138 info: name: LG-Ericsson iPECS NMS 30M - Local File Inclusion author: 0xAkoko severity: high description: Ericsson-LG iPECS NMS 30M allows local file inclusion via...
Planon <Live Build 41 - Cross-Site Scripting
Planon before Live Build 41 is vulnerable to cross-site scripting. id: CVE-2018-18570 info: name: Planon Live Build 41 - Cross-Site Scripting author: emadshanab severity: medium description: Planon before Live Build 41 is vulnerable to cross-site scripting. impact: | Successful exploitation of th...
Anchor CMS 0.12.3 - Error Log Exposure
Anchor CMS 0.12.3 is susceptible to an error log exposure vulnerability due to an issue in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error such as "Too many connections" has occurred. id: CVE-2018-7251 info: name: Anchor CMS 0.12.3 ...
ACME mini_httpd <1.30 - Local File Inclusion
ACME minihttpd before 1.30 is vulnerable to local file inclusion. id: CVE-2018-18778 info: name: ACME minihttpd 1.30 - Local File Inclusion author: DhiyaneshDK,dogasantos severity: medium description: ACME minihttpd before 1.30 is vulnerable to local file inclusion. impact: | Successful...
GitList < 0.6.0 Remote Code Execution
klaussilveira GitList version = 0.6 contains a passing incorrectly sanitized input via the searchTree function that can result in remote code execution. id: CVE-2018-1000533 info: name: GitList 0.6.0 Remote Code Execution author: pikpikcu severity: critical description: klaussilveira GitList...
BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting
BIBLIOsoft BIBLIOpac 2008 contains a cross-site scripting vulnerability via the db or action parameter to bin/wxis.exe/bibliopac/, which allows a remote attacker to inject arbitrary web script or HTML. id: CVE-2018-16139 info: name: BIBLIOsoft BIBLIOpac 2008 - Cross-Site Scripting author:...