Skip to main content
CVE-2018-12111 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Canon PrintMe EFI webinterface allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the /wt3/mydocs.php URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Efi Printme
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
2.5%
CVE-2018-12099 MEDIUM POC PATCH This Month

Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Grafana XSS Active Iq Performance Analytics Services Storagegrid Webscale Nas Bridge
NVD GitHub
CVSS 3.0
6.1
EPSS
2.1%
CVE-2018-12090 MEDIUM POC This Month

There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Lams
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
2.2%
CVE-2018-12108 MEDIUM POC This Month

An issue was discovered in Dropbox Lepton 1.2.1. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Lepton
NVD GitHub
CVSS 3.0
5.5
EPSS
1.2%
CVE-2018-12102 MEDIUM POC This Month

md4c 0.2.6 has a NULL pointer dereference in the function md_process_line in md4c.c, related to ctx->current_block. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Md4C
NVD GitHub
CVSS 3.0
5.5
EPSS
0.8%
CVE-2018-12095 MEDIUM POC This Month

A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Oecms
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
5.6%
CVE-2018-12094 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in news.php in Dimofinf CMS Version 3.0.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Dimofinf Cms
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
1.8%
CVE-2018-5165 MEDIUM POC This Month

In 32-bit versions of Firefox, the Adobe Flash plugin setting for "Enable Adobe Flash protected mode" is unchecked by default even though the Adobe Flash sandbox is actually enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla Adobe Information Disclosure Firefox
NVD
CVSS 3.1
5.3
EPSS
1.7%
CVE-2018-5185 MEDIUM This Month

Plaintext of decrypted emails can leak through by user submitting an embedded form. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +7
NVD
CVSS 3.0
6.5
EPSS
1.6%
CVE-2018-5169 MEDIUM This Month

If manipulated hyperlinked text with "chrome:" URL contained in it is dragged and dropped on the "home" icon, the home page can be reset to include a normally-unlinkable chrome page as one of the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
6.5
EPSS
1.4%
CVE-2018-5152 MEDIUM PATCH This Month

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the "webRequest" API. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.7%
CVE-2018-5133 MEDIUM This Month

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-5132 MEDIUM This Month

The Find API for WebExtensions can search some privileged pages, such as "about:debugging", if these pages are open in a tab. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-5111 MEDIUM This Month

When the text of a specially formatted URL is dragged to the addressbar from page content, the displayed URL can be spoofed to show a different site than the one loaded. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
6.5
EPSS
1.6%
CVE-2018-10360 MEDIUM PATCH This Month

The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Denial Of Service Buffer Overflow File Ubuntu Linux +1
NVD GitHub
CVSS 3.0
6.5
EPSS
3.4%
CVE-2018-5176 MEDIUM This Month

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
6.1
EPSS
1.4%
CVE-2018-5175 MEDIUM This Month

A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "'strict-dynamic'". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Ubuntu Linux Firefox
NVD
CVSS 3.0
6.1
EPSS
1.5%
CVE-2018-5164 MEDIUM This Month

Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the "multipart/x-mixed-replace" MIME type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Ubuntu Linux
NVD
CVSS 3.0
6.1
EPSS
1.6%
CVE-2018-5143 MEDIUM This Month

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting (XSS) attacks, but if a tab character is embedded in the "javascript:". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla XSS Firefox Ubuntu Linux
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-5131 MEDIUM This Month

Under certain circumstances the "fetch()" API can return transient local copies of resources that were sent with a "no-store" or "no-cache" cache header instead of downloading a copy from the network. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Mozilla Information Disclosure Debian Linux Firefox Enterprise Linux Desktop +5
NVD
CVSS 3.0
5.9
EPSS
2.3%
CVE-2018-5173 MEDIUM This Month

The filename appearing in the "Downloads" panel improperly renders some Unicode characters, allowing for the file name to be spoofed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
5.3
EPSS
1.8%
CVE-2018-5168 MEDIUM This Month

Sites can bypass security checks on permissions to install lightweight themes by manipulating the "baseURI" property of the theme element. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Debian Linux Firefox Thunderbird +8
NVD
CVSS 3.0
5.3
EPSS
2.4%
CVE-2018-5142 MEDIUM This Month

If Media Capture and Streams API permission is requested from documents with "data:" or "blob:" URLs, the permission notifications do not properly display the originating domain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.2%
CVE-2018-5140 MEDIUM This Month

Image for moz-icons can be accessed through the "moz-icon:" protocol through script in web content even when otherwise prohibited. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.3%
CVE-2018-5138 MEDIUM This Month

A spoofing vulnerability can occur when a malicious site with an extremely long domain name is opened in an Android Custom Tab (a browser panel inside another app) and the default browser is Firefox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Firefox
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2018-5121 MEDIUM This Month

Low descenders on some Tibetan characters in several fonts on OS X are clipped when rendered in the addressbar. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.0
5.3
EPSS
1.5%
CVE-2018-5119 MEDIUM This Month

The reader view will display cross-origin content when CORS headers are set to prohibit the loading of cross-origin content by a site. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.6%
CVE-2018-5118 MEDIUM This Month

The screenshot images displayed in the Activity Stream page displayed when a new tab is opened is created from the meta tags of websites. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.6%
CVE-2018-5117 MEDIUM PATCH This Month

If right-to-left text is used in the addressbar with left-to-right alignment, it is possible in some circumstances to scroll this text to spoof the displayed URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Mozilla Information Disclosure Debian Linux Enterprise Linux Enterprise Linux Desktop +7
NVD
CVSS 3.0
5.3
EPSS
2.4%
CVE-2018-5114 MEDIUM This Month

If an existing cookie is changed to be "HttpOnly" while a document is open, the original value remains accessible through script until that document is closed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.6%
CVE-2018-5110 MEDIUM This Month

If cursor visibility is toggled by script using from 'none' to an image and back through script, the cursor will be rendered temporarily invisible within Firefox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox
NVD
CVSS 3.0
5.3
EPSS
1.5%
CVE-2018-5109 MEDIUM This Month

An audio capture session can started under an incorrect origin from the site making the capture request. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
0.6%
CVE-2018-5107 MEDIUM This Month

The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Authentication Bypass Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.8%
CVE-2018-5106 MEDIUM This Month

Style editor traffic in the Developer Tools can be routed through a service worker hosted on a third party website if a user selects error links when these tools are open. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
5.3
EPSS
1.3%
CVE-2018-12100 MEDIUM This Month

Sonatype Nexus Repository Manager versions 3.x before 3.12.0 has XSS in multiple areas in the Administration UI. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Nexus Repository Manager
NVD
CVSS 3.0
4.8
EPSS
1.3%
CVE-2018-5172 MEDIUM This Month

The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Privilege Escalation XSS Ubuntu Linux Firefox
NVD
CVSS 3.0
4.3
EPSS
1.6%
CVE-2018-5170 MEDIUM This Month

It is possible to spoof the filename of an attachment and display an arbitrary attachment name. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +7
NVD
CVSS 3.0
4.3
EPSS
1.8%
CVE-2018-5167 MEDIUM This Month

The web console and JavaScript debugger do not sanitize all output that can be hyperlinked. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Mozilla Information Disclosure Ubuntu Linux Firefox
NVD
CVSS 3.0
4.3
EPSS
1.4%
CVE-2018-5161 MEDIUM This Month

Crafted message headers can cause a Thunderbird process to hang on receiving the message. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Enterprise Linux Desktop Enterprise Linux Server Enterprise Linux Server Aus +7
NVD
CVSS 3.0
4.3
EPSS
2.1%
CVE-2018-5108 MEDIUM This Month

A Blob URL can violate origin attribute segregation, allowing it to be accessed from a private browsing tab and for data to be passed between the private browsing tab and a normal tab. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Mozilla Information Disclosure Firefox Ubuntu Linux
NVD
CVSS 3.0
4.3
EPSS
1.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy