Skip to main content
CVE-2018-8734 CRITICAL POC THREAT Emergency

SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Nagios Xi
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
53.2%
CVE-2018-8733 CRITICAL POC THREAT Emergency

Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Authentication Bypass Nagios Xi
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
27.5%
CVE-2018-8736 HIGH POC THREAT Act Now

A privilege escalation vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to leverage an RCE vulnerability escalating to root. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Nagios Xi
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
46.9%
CVE-2018-8735 HIGH POC THREAT Act Now

Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Nagios Xi
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
64.2%
CVE-2018-5341 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
8.2%
CVE-2018-5339 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
7.6%
CVE-2018-5338 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Authentication Bypass Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
9.0%
CVE-2018-5337 CRITICAL POC Act Now

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Path Traversal Manageengine Desktop Central
NVD
CVSS 3.0
9.8
EPSS
9.5%
CVE-2018-1000158 HIGH POC This Week

cmsmadesimple version 2.2.7 contains a Incorrect Access Control vulnerability in the function of send_recovery_email in the line "$url = $config['admin_url'] . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Cms Made Simple
NVD
CVSS 3.0
8.8
EPSS
1.1%
CVE-2018-1000167 HIGH POC PATCH This Week

OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Function as used in the following files: config.py:136, config.py:142, sources.py:99. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Suricata Deserialization RCE Suricata Update
NVD
CVSS 3.0
7.8
EPSS
4.2%
CVE-2018-1000164 HIGH POC PATCH This Week

gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gunicorn Debian Linux
NVD GitHub
CVSS 3.0
7.5
EPSS
2.4%
CVE-2018-10193 HIGH POC This Week

LogMeIn LastPass through 4.15.0 allows remote attackers to cause a denial of service (browser hang) via an HTML document because the resource consumption of onloadwff.js grows with the number of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Lastpass
NVD
CVSS 3.0
7.5
EPSS
4.8%
CVE-2018-5342 HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure PostgreSQL Manageengine Desktop Central
NVD
CVSS 3.0
7.2
EPSS
3.8%
CVE-2018-5340 HIGH POC This Week

An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zoho Information Disclosure Manageengine Desktop Central
NVD
CVSS 3.0
7.2
EPSS
5.2%
CVE-2018-1000163 MEDIUM POC This Month

Floodlight version 1.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in the web console that can result in javascript injections into the web page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Floodlight
NVD
CVSS 3.0
6.1
EPSS
0.7%
CVE-2018-1000160 MEDIUM POC PATCH This Month

RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Protect
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
CVE-2018-8831 MEDIUM POC THREAT This Month

A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Kodi
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
53.9%
CVE-2018-8840 CRITICAL Act Now

A remote attacker could send a carefully crafted packet in InduSoft Web Studio v8.1 and prior versions, and/or InTouch Machine Edition 2017 v8.1 and prior versions during a tag, alarm, or event. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Stack Overflow Web Studio Intouch Machine Edition 2017
NVD
CVSS 3.0
9.8
EPSS
8.4%
CVE-2018-7761 CRITICAL Act Now

A vulnerability exists in the HTTP request parser in Schneider Electric's Modicon M340, Modicon Premium, Modicon Quantum PLC, BMXNOR0200 which could allow arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric RCE Bmxnor0200 Firmware Bmxnor0200H Firmware 140Cpu65150 Firmware +54
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2018-7760 CRITICAL Act Now

An authorization bypass vulnerability exists in Schneider Electric's Modicon M340, Modicon Premium, Modicon Quantum PLC, BMXNOR0200. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Authentication Bypass Bmxnor0200 Firmware Bmxnor0200H Firmware 140Cpu65150 Firmware +54
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2018-7246 CRITICAL Act Now

A cleartext transmission of sensitive information vulnerability exists in Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Information Disclosure 66074 Mge Network Management Card Transverse
NVD
CVSS 3.0
9.8
EPSS
0.9%
CVE-2018-7243 CRITICAL Act Now

An authorization bypass vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Authentication Bypass 66074 Mge Network Management Card Transverse
NVD
CVSS 3.0
9.8
EPSS
2.8%
CVE-2018-7242 CRITICAL Act Now

Vulnerable hash algorithms exists in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Information Disclosure Bmxnor0200 Firmware Bmxnor0200H Firmware 140Cpu65150 Firmware +54
NVD
CVSS 3.0
9.8
EPSS
1.9%
CVE-2018-7241 CRITICAL Act Now

Hard coded accounts exist in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all versions of the communication modules. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Authentication Bypass Bmxnor0200 Firmware Bmxnor0200H Firmware 140Cpu65150 Firmware +54
NVD
CVSS 3.0
9.8
EPSS
3.8%
CVE-2018-10199 CRITICAL PATCH Act Now

In versions of mruby up to and including 1.4.0, a use-after-free vulnerability exists in src/io.c::File#initilialize_copy(). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption RCE Use After Free Mruby
NVD GitHub
CVSS 3.0
9.8
EPSS
2.3%
CVE-2018-8092 CRITICAL PATCH Act Now

Mautic before 2.13.0 allows CSV injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Mautic
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
CVE-2018-7245 CRITICAL Act Now

An improper authorization vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Authentication Bypass 66074 Mge Network Management Card Transverse
NVD
CVSS 3.0
9.1
EPSS
1.3%
CVE-2018-10204 HIGH This Week

PureVPN 6.0.1 for Windows suffers from a SYSTEM privilege escalation vulnerability in its "sevpnclient" service. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Purevpn
NVD GitHub
CVSS 3.0
8.8
EPSS
1.5%
CVE-2018-10110 MEDIUM POC This Month

D-Link DIR-615 T1 devices allow XSS via the Add User feature. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS D-Link Dir 615 T1 Firmware
NVD Exploit-DB
CVSS 3.0
4.8
EPSS
3.5%
CVE-2018-7240 HIGH This Week

A vulnerability exists in Schneider Electric's Modicon Quantum in all versions of the communication modules which could allow arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Schneider Electric Buffer Overflow RCE Denial Of Service Memory Corruption +13
NVD
CVSS 3.0
8.8
EPSS
3.3%
CVE-2018-1088 HIGH PATCH This Week

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Gluster Storage Virtualization Virtualization Host Enterprise Linux Server +2
NVD
CVSS 3.1
8.1
EPSS
5.4%
CVE-2018-1240 HIGH This Week

Dell EMC ViPR Controller, versions after 3.0.0.38, contain an information exposure vulnerability in the VRRP. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Dell Denial Of Service Information Disclosure Vipr Controller
NVD
CVSS 3.0
8.0
EPSS
0.5%
CVE-2018-1274 HIGH PATCH This Week

Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Java Denial Of Service Spring Data Commons Spring Data Rest
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2018-10194 HIGH This Week

The set_text_distance function in devices/vector/gdevpdts.c in the pdfwrite component in Artifex Ghostscript through 9.22 does not prevent overflows in text-positioning calculation, which allows. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Ghostscript Ubuntu Linux Debian Linux +6
NVD
CVSS 3.0
7.8
EPSS
1.9%
CVE-2018-7762 HIGH This Week

A vulnerability exists in the web services to process SOAP requests in Schneider Electric's Modicon M340, Modicon Premium, Modicon Quantum PLC, BMXNOR0200 which could allow result in a buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Buffer Overflow Bmxnor0200 Firmware Bmxnor0200H Firmware 140Cpu65150 Firmware +54
NVD
CVSS 3.0
7.5
EPSS
1.3%
CVE-2018-7759 HIGH This Week

A buffer overflow vulnerability exists in Schneider Electric's Modicon M340, Modicon Premium, Modicon Quantum PLC, BMXNOR0200. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Buffer Overflow Bmxnor0200 Firmware Bmxnor0200H Firmware 140Cpu65150 Firmware +54
NVD
CVSS 3.0
7.5
EPSS
1.3%
CVE-2018-1000165 HIGH PATCH This Week

LightSAML version prior to 1.3.5 contains a Incorrect Access Control vulnerability in signature validation in readers in src/LightSaml/Model/XmlDSig/ that can result in impersonation of any user from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Lightsaml
NVD GitHub
CVSS 3.0
7.5
EPSS
1.3%
CVE-2018-6413 HIGH This Week

There is a buffer overflow in the Hikvision Camera DS-2CD9111-S of V4.1.2 build 160203 and before, and this vulnerability allows remote attackers to launch a denial of service attack (service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hikvision Denial Of Service Buffer Overflow Ds 2Cd9111 S Firmware
NVD
CVSS 3.0
7.5
EPSS
1.7%
CVE-2018-7758 MEDIUM This Month

A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Denial Of Service Micom P141 Firmware Micom P142 Firmware Micom P143 Firmware +20
NVD
CVSS 3.0
6.5
EPSS
0.6%
CVE-2018-1325 MEDIUM PATCH This Month

In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Wicket Jquery Ui
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-1000162 MEDIUM PATCH This Month

Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS RCE Parsedown
NVD GitHub
CVSS 3.0
6.1
EPSS
1.2%
CVE-2018-9990 MEDIUM This Month

In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-9987 MEDIUM This Month

In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-9986 MEDIUM This Month

In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-8071 MEDIUM PATCH This Month

Mautic before v2.13.0 has stored XSS via a theme config file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Mautic
NVD GitHub
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-1000159 MEDIUM PATCH This Month

tlslite-ng version 0.7.3 and earlier, since commit d7b288316bca7bcdd082e6ccff5491e241305233 contains a CWE-354: Improper Validation of Integrity Check Value vulnerability in TLS implementation,. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Tlslite Ng
NVD GitHub
CVSS 3.0
5.9
EPSS
0.8%
CVE-2018-1000161 MEDIUM This Month

nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147 contains a Directory Traversal vulnerability in NSE script http-fetch that can result in file overwrite as the user is. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Nmap
NVD
CVSS 3.0
5.7
EPSS
1.0%
CVE-2018-9999 MEDIUM This Month

In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Zulip Server
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-7244 MEDIUM This Month

An information disclosure vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Schneider Electric Information Disclosure 66074 Mge Network Management Card Transverse
NVD
CVSS 3.0
5.3
EPSS
1.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy