Export limit exceeded: 349499 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (349499 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-3760 | 3 Debian, Redhat, Sprockets Project | 6 Debian Linux, Cloudforms, Cloudforms Managementengine and 3 more | 2024-11-21 | N/A |
| There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately. | ||||
| CVE-2018-3759 | 1 Private Address Check Project | 1 Private Address Check | 2024-11-21 | N/A |
| private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address. | ||||
| CVE-2018-3758 | 1 Express-cart Project | 1 Express-cart | 2024-11-21 | 8.8 High |
| Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine. | ||||
| CVE-2018-3757 | 1 Pdf-image Project | 1 Pdf-image | 2024-11-21 | 9.8 Critical |
| Command injection exists in pdf-image v2.0.0 due to an unescaped string parameter. | ||||
| CVE-2018-3756 | 1 Hyperledger | 1 Iroha | 2024-11-21 | N/A |
| Hyperledger Iroha versions v1.0_beta and v1.0.0_beta-1 are vulnerable to transaction and block signature verification bypass in the transaction and block validator allowing a single node to sign a transaction and/or block multiple times, each with a random nonce, and have other validating nodes accept them as separate valid signatures. | ||||
| CVE-2018-3755 | 1 Sexstatic Project | 1 Sexstatic | 2024-11-21 | 6.1 Medium |
| XSS in sexstatic <=0.6.2 causes HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name. | ||||
| CVE-2018-3754 | 1 Query-mysql Project | 1 Query-mysql | 2024-11-21 | N/A |
| Node.js third-party module query-mysql versions 0.0.0, 0.0.1, and 0.0.2 are vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database. | ||||
| CVE-2018-3753 | 1 Merge-object Project | 1 Merge-object | 2024-11-21 | N/A |
| The utilities function in all versions <= 1.0.0 of the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | ||||
| CVE-2018-3752 | 1 Merge-options Project | 1 Merge-options | 2024-11-21 | N/A |
| The utilities function in all versions <= 1.0.0 of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | ||||
| CVE-2018-3751 | 1 Umbraengineering | 1 Merge-recursive | 2024-11-21 | N/A |
| The utilities function in all versions <= 0.3.0 of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | ||||
| CVE-2018-3750 | 2 Deep Extend Project, Redhat | 3 Deep Extend, Enterprise Linux, Rhel Software Collections | 2024-11-21 | N/A |
| The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | ||||
| CVE-2018-3749 | 1 Deap Project | 1 Deap | 2024-11-21 | N/A |
| The utilities function in all versions < 1.0.1 of the deap node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects. | ||||
| CVE-2018-3748 | 1 Glance Project | 1 Glance | 2024-11-21 | N/A |
| There is a Stored XSS vulnerability in the glance node module versions <= 3.0.5. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name. | ||||
| CVE-2018-3747 | 1 Public.js Project | 1 Public.js | 2024-11-21 | N/A |
| The public node module versions <= 1.0.3 allows to embed HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript. | ||||
| CVE-2018-3746 | 1 Pdfinfojs Project | 1 Pdfinfojs | 2024-11-21 | 9.8 Critical |
| The pdfinfojs NPM module versions <= 0.3.6 has a command injection vulnerability that allows an attacker to execute arbitrary commands on the victim's machine. | ||||
| CVE-2018-3745 | 1 Atob Project | 1 Atob | 2024-11-21 | 9.1 Critical |
| atob 2.0.3 and earlier allocates uninitialized Buffers when number is passed in input on Node.js 4.x and below. | ||||
| CVE-2018-3744 | 1 Html-pages Project | 1 Html-pages | 2024-11-21 | 9.8 Critical |
| The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL. | ||||
| CVE-2018-3743 | 1 Hekto Project | 1 Hekto | 2024-11-21 | 6.1 Medium |
| Open redirect in hekto <=0.2.3 when target domain name is used as html filename on server. | ||||
| CVE-2018-3741 | 2 Redhat, Rubyonrails | 2 Cloudforms Managementengine, Html Sanitizer | 2024-11-21 | 6.1 Medium |
| There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately. | ||||
| CVE-2018-3740 | 1 Sanitize Project | 1 Sanitize | 2024-11-21 | N/A |
| A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element. | ||||