Skip to main content
CVE-2018-12659 HIGH POC This Week

SLiMS 8 Akasia 8.3.1 allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the csrf_token parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Slims Akasia
NVD GitHub
CVSS 3.0
8.8
EPSS
0.8%
CVE-2018-12648 HIGH POC This Week

The WEBP::GetLE32 function in XMPFiles/source/FormatSupport/WEBP_Support.hpp in Exempi 2.4.5 has a NULL pointer dereference. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Exempi
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2018-12636 HIGH POC THREAT This Week

The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Security
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
30.1%
CVE-2018-12538 HIGH PATCH This Week

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jetty E Series Santricity Management Plug Ins E Series Santricity Os Controller E Series Santricity Web Services Proxy +8
NVD
CVSS 3.0
8.8
EPSS
2.7%
CVE-2018-1000201 HIGH PATCH This Week

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Information Disclosure Ruby Ffi
NVD GitHub
CVSS 3.0
7.8
EPSS
1.4%
CVE-2018-12687 HIGH This Week

tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Tinyexr
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2018-12642 HIGH PATCH This Week

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Froxlor
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
CVE-2018-12635 HIGH This Week

CirCarLife Scada v4.2.4 allows unauthorized upgrades via requests to the html/upgrade.html and services/system/firmware.upgrade URIs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass SCADA
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2018-12684 HIGH PATCH This Week

Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Denial Of Service Buffer Overflow Civetweb
NVD GitHub
CVSS 3.0
7.1
EPSS
1.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy