Skip to main content
CVE-2018-1999018 MEDIUM POC This Month

Pydio version 8.2.1 and prior contains an Unvalidated user input leading to Remote Code Execution (RCE) vulnerability in plugins/action.antivirus/AntivirusScanner.php: Line 124, scanNow($nodeObject). Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

RCE PHP Pydio
NVD
CVSS 3.0
6.6
EPSS
3.5%
CVE-2018-1999016 MEDIUM POC PATCH This Month

Pydio version 8.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in ./core/vendor/meenie/javascript-packer/example-inline.php line 48;. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Pydio
NVD
CVSS 3.0
6.1
EPSS
1.0%
CVE-2018-14527 MEDIUM POC This Month

Feedback.asp in Xiao5uCompany 1.7 has XSS because the XSS protection mechanism in Safe.asp is insufficient (for example, it considers SCRIPT and IMG elements, but does not consider VIDEO elements). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Xiao5Ucompany
NVD GitHub
CVSS 3.0
6.1
EPSS
0.7%
CVE-2018-14517 MEDIUM POC This Month

SeaCMS 6.61 has two XSS issues in the admin_config.php file via certain form fields. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Seacms
NVD GitHub
CVSS 3.0
6.1
EPSS
0.7%
CVE-2018-14513 MEDIUM POC This Month

An XSS vulnerability was discovered in WUZHI CMS 4.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Wuzhi Cms
NVD GitHub
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-14512 MEDIUM POC This Month

An XSS vulnerability was discovered in WUZHI CMS 4.1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Wuzhicms
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2018-1999020 MEDIUM POC PATCH This Month

Open Networking Foundation (ONF) ONOS version 1.13.2 and earlier version contains a Directory Traversal vulnerability in core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Java Path Traversal Onos
NVD
CVSS 3.0
5.5
EPSS
1.3%
CVE-2018-1999024 MEDIUM POC PATCH This Month

{} macro that can result in Potentially untrusted Javascript running within a web browser. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Mathjax
NVD GitHub
CVSS 3.0
5.4
EPSS
1.3%
CVE-2018-1999021 MEDIUM POC This Month

Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Gleezcms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-1513 MEDIUM POC This Month

IBM Sterling B2B Integrator Standard Edition 5.2.0 through 5.2.6 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS IBM Sterling B2b Integrator
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
2.9%
CVE-2018-1999017 MEDIUM POC PATCH This Month

Pydio version 8.2.0 and earlier contains a Server-Side Request Forgery (SSRF) vulnerability in plugins/action.updater/UpgradeManager.php Line: 154, getUpgradePath($url) that can result in an. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF PHP Pydio
NVD
CVSS 3.0
4.9
EPSS
1.0%
CVE-2018-1999015 MEDIUM PATCH This Month

FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of array read vulnerability in ASF_F format demuxer that can result in heap memory reading. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Information Disclosure Buffer Overflow Ffmpeg
NVD GitHub
CVSS 3.0
6.5
EPSS
1.8%
CVE-2018-1999014 MEDIUM PATCH This Month

FFmpeg before commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 contains an out of array access vulnerability in MXF format demuxer that can result in DoS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Information Disclosure Buffer Overflow Ffmpeg
NVD GitHub
CVSS 3.0
6.5
EPSS
1.5%
CVE-2018-1999013 MEDIUM PATCH This Month

FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Information Disclosure Use After Free Ffmpeg
NVD GitHub
CVSS 3.0
6.5
EPSS
1.8%
CVE-2018-1999012 MEDIUM PATCH This Month

FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Ffmpeg
NVD GitHub
CVSS 3.0
6.5
EPSS
2.2%
CVE-2018-14549 MEDIUM This Month

An issue has been found in libwav through 2017-04-20. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Libwav
NVD GitHub
CVSS 3.0
6.5
EPSS
1.2%
CVE-2018-14524 MEDIUM PATCH This Month

dwg_decode_eed in decode.c in GNU LibreDWG before 0.6 leads to a double free (in dwg_free_eed in free.c) because it does not properly manage the obj->eed value after a free occurs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Libredwg
NVD GitHub
CVSS 3.0
6.5
EPSS
1.1%
CVE-2018-8031 MEDIUM PATCH This Month

The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Tomcat Tomee
NVD
CVSS 3.0
6.1
EPSS
2.0%
CVE-2018-14573 MEDIUM This Month

A Local File Inclusion (LFI) vulnerability exists in the Web Interface API of TightRope Media Carousel Digital Signage before 7.3.5. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Tightrope Media Carousel Digital Signage
NVD
CVSS 3.0
5.5
EPSS
6.4%
CVE-2018-14545 MEDIUM This Month

There exists one invalid memory read bug in AP4_SampleDescription::GetType() in Ap4SampleDescription.h in Bento4 1.5.1-624, which can allow attackers to cause a denial-of-service via a crafted mp4. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow Bento4
NVD GitHub
CVSS 3.0
5.5
EPSS
0.8%
CVE-2018-14544 MEDIUM This Month

There exists one invalid memory read bug in AP4_SampleDescription::GetFormat() in Ap4SampleDescription.h in Bento4 1.5.1-624, which can allow attackers to cause a denial-of-service via a crafted mp4. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow Bento4
NVD GitHub
CVSS 3.0
5.5
EPSS
0.8%
CVE-2018-14543 MEDIUM This Month

There exists one NULL pointer dereference vulnerability in AP4_JsonInspector::AddField in Ap4Atom.cpp in Bento4 1.5.1-624, which can allow attackers to cause a denial-of-service via a crafted mp4. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference Denial Of Service Bento4
NVD GitHub
CVSS 3.0
5.5
EPSS
0.8%
CVE-2018-1999007 MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers with the ability to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Java Jenkins XSS Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2018-1999005 MEDIUM PATCH This Month

A cross-site scripting vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in BuildTimelineWidget.java, BuildTimelineWidget/control.jelly that allows attackers with Job/Configure. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Jenkins XSS Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2018-1999008 MEDIUM PATCH This Month

October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS October
NVD
CVSS 3.0
5.4
EPSS
0.5%
CVE-2018-10912 MEDIUM PATCH This Month

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
CVSS 3.1
4.9
EPSS
1.3%
CVE-2018-1999006 MEDIUM PATCH This Month

A exposure of sensitive information vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Jenkins Information Disclosure
NVD
CVSS 3.0
4.3
EPSS
0.9%
CVE-2018-1999004 MEDIUM PATCH This Month

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Java Authentication Bypass Jenkins Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2018-1999003 MEDIUM PATCH This Month

A Improper authorization vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in Queue.java that allows attackers with Overall/Read permission to cancel queued builds. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Java Authentication Bypass Jenkins Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2018-1503 MEDIUM This Month

IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a remotely authenticated attacker to to send invalid or malformed headers that could cause messages to no longer be transmitted via the affected. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Websphere Mq
NVD
CVSS 3.0
4.3
EPSS
2.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy