Export limit exceeded: 348842 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (348842 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-20153 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. | ||||
| CVE-2018-20152 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. | ||||
| CVE-2018-20151 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. | ||||
| CVE-2018-20150 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. | ||||
| CVE-2018-20149 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. | ||||
| CVE-2018-20148 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. | ||||
| CVE-2018-20147 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-11-21 | N/A |
| In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. | ||||
| CVE-2018-20146 | 1 Liquidware | 2 Flexapp, Profileunity | 2024-11-21 | N/A |
| An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell. | ||||
| CVE-2018-20145 | 1 Eclipse | 1 Mosquitto | 2024-11-21 | N/A |
| Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored. | ||||
| CVE-2018-20144 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| GitLab Community and Enterprise Edition 11.x before 11.3.13, 11.4.x before 11.4.11, and 11.5.x before 11.5.4 has Incorrect Access Control. | ||||
| CVE-2018-20141 | 1 Abantecart | 1 Abantecart | 2024-11-21 | N/A |
| AbanteCart 1.2.12 has reflected cross-site scripting (XSS) via the sort parameter, as demonstrated by a /apparel--accessories?sort= substring. | ||||
| CVE-2018-20140 | 1 Zenphoto | 1 Zenphoto | 2024-11-21 | N/A |
| Zenphoto 1.4.14 has multiple cross-site scripting (XSS) vulnerabilities via different URL parameters. | ||||
| CVE-2018-20138 | 1 Readymadeb2bscript | 1 Entrepreneur B2b Script | 2024-11-21 | 5.4 Medium |
| PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541. | ||||
| CVE-2018-20137 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | N/A |
| XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI. | ||||
| CVE-2018-20136 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | N/A |
| XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI. | ||||
| CVE-2018-20135 | 1 Samsung | 1 Galaxy Apps | 2024-11-21 | N/A |
| Samsung Galaxy Apps before 4.4.01.7 allows modification of the hostname used for load balancing on installations of applications through a man-in-the-middle attack. An attacker may trick Galaxy Apps into using an arbitrary hostname for which the attacker can provide a valid SSL certificate, and emulate the API of the app store to modify existing apps at installation time. The specific flaw involves an HTTP method to obtain the load-balanced hostname that enforces SSL only after obtaining a hostname from the load balancer, and a missing app signature validation in the application XML. An attacker can exploit this vulnerability to achieve Remote Code Execution on the device. The Samsung ID is SVE-2018-12071. | ||||
| CVE-2018-20133 | 1 Ymlref Project | 1 Ymlref | 2024-11-21 | N/A |
| ymlref allows code injection. | ||||
| CVE-2018-20131 | 2 Code42, Linux | 2 Code42, Linux Kernel | 2024-11-21 | N/A |
| The Code42 app before 6.8.4, as used in Code42 for Enterprise, on Linux installs with overly permissive permissions on the /usr/local/crashplan/log directory. This allows a user to manipulate symbolic links to escalate privileges, or show the contents of sensitive files that a regular user would not have access to. | ||||
| CVE-2018-20129 | 1 Dedecms | 1 Dedecms | 2024-11-21 | N/A |
| An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value. | ||||
| CVE-2018-20128 | 1 Usualtool | 1 Usualtoolcms | 2024-11-21 | N/A |
| An issue was discovered in UsualToolCMS v8.0. cmsadmin\a_sqlback.php allows remote attackers to delete arbitrary files via a backname[] directory-traversal pathname followed by a crafted substring. | ||||