Skip to main content
CVE-2018-7187 HIGH POC PATCH THREAT This Week

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Go Debian Linux
NVD GitHub
CVSS 3.1
8.8
EPSS
63.2%
CVE-2018-7176 HIGH POC This Week

FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Frontaccounting
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
2.4%
CVE-2018-3609 HIGH POC THREAT This Week

A vulnerability in the Trend Micro InterScan Messaging Security Virtual Appliance 9.0 and 9.1 management portal could allow an unauthenticated user to access sensitive information in a particular log. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Trend Micro Information Disclosure Interscan Messaging Security Virtual Appliance
NVD
CVSS 3.0
8.1
EPSS
21.8%
CVE-2018-6944 MEDIUM POC This Month

core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Ultimate Member
NVD
CVSS 3.0
6.1
EPSS
1.2%
CVE-2018-6943 MEDIUM POC This Month

core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Ultimatemember
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-7186 CRITICAL PATCH Act Now

Leptonica before 1.75.3 does not limit the number of characters in a %s format argument to fscanf or sscanf, which allows remote attackers to cause a denial of service (stack-based buffer overflow). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Denial Of Service Buffer Overflow Leptonica Debian Linux
NVD GitHub
CVSS 3.0
9.8
EPSS
3.5%
CVE-2018-0516 HIGH This Week

Untrusted search path vulnerability in FLET'S v4 / v6 address selection tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Address Selection Tool
NVD
CVSS 3.0
7.8
EPSS
0.9%
CVE-2018-0515 HIGH This Week

Untrusted search path vulnerability in "FLET'S Azukeru Backup Tool" version 1.5.2.6 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Azukeru Backup Tool
NVD
CVSS 3.0
7.8
EPSS
0.9%
CVE-2018-6218 HIGH This Week

A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could allow an attacker to run arbitrary code on a vulnerable system. Rated high severity (CVSS 7.0), this vulnerability is no authentication required. No vendor patch available.

Trend Micro RCE Deep Security Endpoint Sensor Officescan +2
NVD
CVSS 3.1
7.0
EPSS
1.6%
CVE-2018-6324 MEDIUM This Month

F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated Redirect via the ReturnUrl parameter that triggers upon a user login. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Radar
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-6189 MEDIUM This Month

F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors involving the Tags parameter in the JSON request body in an outbound request for the /api/latest/vulnerabilityscans/tags/batch. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Radar
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-1049 MEDIUM PATCH This Month

In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Race Condition Denial Of Service Systemd Enterprise Linux Enterprise Linux Aus +8
NVD
CVSS 3.1
5.9
EPSS
7.3%
CVE-2018-7188 MEDIUM PATCH This Month

An XSS vulnerability (via an SVG image) in Tiki before 18 allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP Tikiwiki Cms Groupware
NVD
CVSS 3.0
5.4
EPSS
0.5%
CVE-2018-1000068 MEDIUM PATCH This Month

An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Jenkins Information Disclosure Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
5.3
EPSS
2.0%
CVE-2018-1000067 MEDIUM PATCH This Month

An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Jenkins SSRF Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
5.3
EPSS
1.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy