Total
980 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10665 | 1 Librenms | 1 Librenms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in LibreNMS through 1.47. The scripts that handle the graphing options (html/includes/graphs/common.inc.php and html/includes/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php script. RRDtool syntax is quite versatile and an attacker could leverage this to perform a number of attacks, including disclosing directory structure and filenames, file content, denial of service, or writing arbitrary files. | |||||
| CVE-2019-10074 | 1 Apache | 1 Ofbiz | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An RCE is possible by entering Freemarker markup in an Apache OFBiz Form Widget textarea field when encoding has been disabled on such a field. This was the case for the Customer Request "story" input in the Order Manager application. Encoding should not be disabled without good reason and never within a field that accepts user input. Mitigation: Upgrade to 16.11.06 or manually apply the following commit on branch 16.11: r1858533 | |||||
| CVE-2019-1020006 | 1 Inveniosoftware | 1 Invenio-app | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| invenio-app before 1.1.1 allows host header injection. | |||||
| CVE-2019-1010310 | 1 Glpi-project | 1 Glpi | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| GLPI GLPI Product 9.3.1 is affected by: Frame and Form tags Injection allowing admins to phish users by putting code in reminder description. The impact is: Admins can phish any user or group of users for credentials / credit cards. The component is: Tools > Reminder > Description .. Set the description to any iframe/form tags and apply. The attack vector is: The attacker puts a login form, the user fills it and clicks on submit .. the request is sent to the attacker domain saving the data. The fixed version is: 9.4.1. | |||||
| CVE-2019-0319 | 1 Sap | 2 Gateway, Ui5 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not. | |||||
| CVE-2019-0304 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FTP Function of SAP NetWeaver AS ABAP Platform, versions- KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, allows an attacker to inject code or specifically manipulated command that can be executed by the application. An attacker could thereby control the behaviour of the application. | |||||
| CVE-2018-9062 | 1 Lenovo | 97 20hm, 20hn, 20hq and 94 more | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| In some Lenovo ThinkPad products, one BIOS region is not properly included in the checks, allowing injection of arbitrary code. | |||||
| CVE-2018-7032 | 1 Myrepos Project | 1 Myrepos | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| webcheckout in myrepos through 1.20171231 does not sanitize URLs that are passed to git clone, allowing a malicious website operator or a MitM attacker to take advantage of it for arbitrary code execution, as demonstrated by an "ext::sh -c" attack or an option injection attack. | |||||
| CVE-2018-6603 | 1 Promise | 1 Webpam Proe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Promise Technology WebPam Pro-E devices allow remote attackers to conduct XSS, HTTP Response Splitting, and CRLF Injection attacks via JavaScript code in a PHPSESSID cookie. | |||||
| CVE-2018-6519 | 2 Debian, Simplesamlphp | 2 Debian Linux, Saml2 | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp. | |||||
| CVE-2018-6289 | 1 Kaspersky | 1 Secure Mail Gateway | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Configuration file injection leading to Code Execution as Root in Kaspersky Secure Mail Gateway version 1.1. | |||||
| CVE-2018-6220 | 1 Trendmicro | 1 Email Encryption Gateway | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An arbitrary file write vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject arbitrary data, which may lead to gaining code execution on vulnerable systems. | |||||
| CVE-2018-4995 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an XFA '\n' POST injection vulnerability. Successful exploitation could lead to a security bypass. | |||||
| CVE-2018-4235 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Messages" component. It allows local users to perform impersonation attacks via an unspecified injection. | |||||
| CVE-2018-4153 | 1 Apple | 1 Mac Os X | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An injection issue was addressed with improved validation. This issue affected versions prior to macOS Mojave 10.14. | |||||
| CVE-2018-4106 | 1 Apple | 1 Mac Os X | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Bracketed Paste Mode of the "Terminal" component. It allows user-assisted attackers to inject arbitrary commands within pasted content. | |||||
| CVE-2018-25016 | 1 Greenbone | 2 Greenbone Os, Greenbone Security Assistant | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Greenbone Security Assistant (GSA) before 7.0.3 and Greenbone OS (GOS) before 5.0.0 allow Host Header Injection. | |||||
| CVE-2018-21268 | 1 Traceroute Project | 1 Traceroute | 2024-11-21 | 7.5 HIGH | 10.0 CRITICAL |
| The traceroute (aka node-traceroute) package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec() method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character. | |||||
| CVE-2018-21258 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash command. | |||||
| CVE-2018-21228 | 1 Netgear | 26 D7800, D7800 Firmware, Ex6100 and 23 more | 2024-11-21 | 5.2 MEDIUM | 6.8 MEDIUM |
| Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D7800 before 1.0.1.34, EX6100v2 before 1.0.1.50, EX6150v2 before 1.0.1.50, EX6200v2 before 1.0.1.44, EX6400 before 1.0.1.60, EX7300 before 1.0.1.60, R6100 before 1.0.1.16, R7500 before 1.0.0.110, R7800 before 1.0.2.32, R9000 before 1.0.2.30, WN3000RPv3 before 1.0.2.50, WNDR4300v2 before 1.0.0.50, and WNDR4500v3 before 1.0.0.50. | |||||