Export limit exceeded: 336488 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 44015 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44015 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11682 | 1 Lutron | 6 Homeworks Qs, Homeworks Qs Firmware, Radiora 2 and 3 more | 2024-11-21 | 9.8 Critical |
| Default and unremovable support credentials allow attackers to gain total super user control of an IoT device through a TELNET session to products using the Stanza Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine | ||||
| CVE-2018-11681 | 1 Lutron | 6 Homeworks Qs, Homeworks Qs Firmware, Radiora 2 and 3 more | 2024-11-21 | 9.8 Critical |
| Default and unremovable support credentials (user:nwk password:nwk2) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the RadioRA 2 Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine | ||||
| CVE-2018-11651 | 1 Graylog | 1 Graylog | 2024-11-21 | N/A |
| Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx. | ||||
| CVE-2018-11650 | 1 Graylog | 1 Graylog | 2024-11-21 | N/A |
| Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. | ||||
| CVE-2018-11649 | 1 Gethue | 1 Hue | 2024-11-21 | N/A |
| Hue 3.12 has XSS via the /pig/save/ name and script parameters. | ||||
| CVE-2018-11647 | 1 Oauth2orize-fprm Project | 1 Oauth2orize-fprm | 2024-11-21 | N/A |
| index.js in oauth2orize-fprm before 0.2.1 has XSS via a crafted URL. | ||||
| CVE-2018-11641 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Use of Hard-coded Credentials in /var/www/xms/application/controllers/gatherLogs.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to interact with a web service. | ||||
| CVE-2018-11635 | 1 Dialogic | 1 Powermedia Xms | 2024-11-21 | N/A |
| Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication. | ||||
| CVE-2018-11629 | 1 Lutron | 6 Homeworks Qs, Homeworks Qs Firmware, Radiora 2 and 3 more | 2024-11-21 | N/A |
| Default and unremovable support credentials (user:lutron password:integration) allow attackers to gain total super user control of an IoT device through a TELNET session to products using the HomeWorks QS Lutron integration protocol Revision M to Revision Y. NOTE: The vendor disputes this id as not being a vulnerability because what can be done through the ports revolve around controlling lighting, not code execution. A certain set of commands are listed, which bear some similarity to code, but they are not arbitrary and do not allow admin-level control of a machine | ||||
| CVE-2018-11628 | 1 Emssoftware | 1 Ems Master Calendar | 2024-11-21 | N/A |
| Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS. | ||||
| CVE-2018-11627 | 2 Redhat, Sinatrarb | 3 Cloudforms, Cloudforms Managementengine, Sinatra | 2024-11-21 | N/A |
| Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. | ||||
| CVE-2018-11588 | 1 Centreon | 2 Centreon, Centreon Web | 2024-11-21 | N/A |
| Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php. | ||||
| CVE-2018-11583 | 1 Seacms | 1 Seacms | 2024-11-21 | N/A |
| SeaCMS 6.61 has stored XSS in admin_collect.php via the siteurl parameter. | ||||
| CVE-2018-11581 | 1 Brother | 4 Hl-l2340d, Hl-l2340d Firmware, Hl-l2380dw and 1 more | 2024-11-21 | N/A |
| Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html. | ||||
| CVE-2018-11580 | 1 Multidots | 1 Mass Pages\/posts Creator | 2024-11-21 | N/A |
| An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site and create hundreds of thousands of posts with custom content. | ||||
| CVE-2018-11572 | 1 Clippercms | 1 Clippercms | 2024-11-21 | N/A |
| ClipperCMS 1.3.3 has XSS in the "Module name" field in a "Modules -> Manage modules -> edit" action to the manager/ URI. | ||||
| CVE-2018-11568 | 1 Cactusthemes | 1 Gameplan-event And Gym Fitness | 2024-11-21 | N/A |
| Reflected XSS is possible in the GamePlan theme through 1.5.13.2 for WordPress because of insufficient input sanitization, as demonstrated by the s parameter. In some (but not all) cases, the '<' and '>' characters have < and > representations. | ||||
| CVE-2018-11564 | 1 Pagekit | 1 Pagekit | 2024-11-21 | N/A |
| Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack. | ||||
| CVE-2018-11562 | 1 Misp | 1 Misp | 2024-11-21 | N/A |
| An issue was discovered in MISP 2.4.91. A vulnerability in app/View/Elements/eventattribute.ctp allows reflected XSS if a user clicks on a malicious link for an event view and then clicks on the deleted attributes quick filter. | ||||
| CVE-2018-11559 | 1 Domainmod | 1 Domainmod | 2024-11-21 | N/A |
| DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter. | ||||