Skip to main content
CVE-2018-13417 CRITICAL POC THREAT Act Now

In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft XXE Bittorrent Client
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
20.7%
CVE-2018-13415 CRITICAL POC THREAT Act Now

In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft XXE Media Server
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
31.8%
CVE-2018-15142 HIGH POC PATCH THREAT This Week

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to execute arbitrary PHP code by writing a file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal PHP Openemr
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
18.2%
CVE-2018-15139 HIGH POC PATCH THREAT This Week

Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload PHP Openemr
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
19.3%
CVE-2018-5925 HIGH POC THREAT This Week

A security vulnerability has been identified with certain HP Inkjet printers. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

HP RCE Buffer Overflow T8X44 Firmware 3Aw51A Firmware +268
NVD
CVSS 3.0
7.8
EPSS
10.9%
CVE-2018-11770 MEDIUM POC THREAT This Month

From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Authentication Bypass Apache Spark
NVD
CVSS 3.1
4.2
EPSS
65.8%
CVE-2018-15141 MEDIUM POC PATCH THREAT This Month

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid". Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal PHP Openemr
NVD GitHub Exploit-DB
CVSS 3.0
6.5
EPSS
14.5%
CVE-2018-15140 MEDIUM POC PATCH THREAT This Month

Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to read arbitrary files via the "docid" parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal PHP Openemr
NVD GitHub Exploit-DB
CVSS 3.0
6.5
EPSS
16.7%
CVE-2018-15124 CRITICAL Act Now

Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zipabox Firmware
NVD
CVSS 3.0
9.8
EPSS
1.1%
CVE-2018-15123 CRITICAL Act Now

Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zipabox Firmware
NVD
CVSS 3.0
9.8
EPSS
2.4%
CVE-2018-15145 CRITICAL PATCH Act Now

Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) eid, (2) userid,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Openemr
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-15143 CRITICAL PATCH Act Now

Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to execute arbitrary SQL commands via the (1) catid or (2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Openemr
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-6414 CRITICAL Act Now

A buffer overflow vulnerability in the web server of some Hikvision IP Cameras allows an attacker to send a specially crafted message to affected devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Hikvision RCE Buffer Overflow Ip Cameras
NVD
CVSS 3.0
9.8
EPSS
2.3%
CVE-2018-5924 CRITICAL Act Now

A security vulnerability has been identified with certain HP Inkjet printers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

HP Memory Corruption RCE Buffer Overflow T8X44 Firmware +269
NVD
CVSS 3.0
9.8
EPSS
12.2%
CVE-2018-0714 CRITICAL Act Now

Command injection vulnerability in Helpdesk versions 1.1.21 and earlier in QNAP QTS 4.2.6 build 20180531, QTS 4.3.3 build 20180528, QTS 4.3.4 build 20180528 and their earlier versions could allow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Qnap Command Injection Helpdesk
NVD
CVSS 3.0
9.8
EPSS
2.3%
CVE-2018-10636 HIGH This Week

CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has multiple stack-based buffer overflow vulnerabilities that could cause the software to crash due to lacking user input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Buffer Overflow Stack Overflow Cncsoft Screeneditor
NVD
CVSS 3.1
8.8
EPSS
9.5%
CVE-2018-15144 HIGH PATCH This Week

SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Openemr
NVD GitHub
CVSS 3.0
8.8
EPSS
1.8%
CVE-2018-10598 HIGH This Week

CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cause the software to crash due to lacking user input validation for processing. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure RCE Buffer Overflow Cncsoft Screeneditor
NVD
CVSS 3.0
8.1
EPSS
3.5%
CVE-2018-14878 HIGH PATCH This Week

JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Dotpeek Resharper Ultimate
NVD
CVSS 3.0
7.8
EPSS
1.6%
CVE-2018-15125 HIGH This Week

Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Zipabox Firmware
NVD
CVSS 3.0
7.5
EPSS
1.5%
CVE-2018-6970 MEDIUM PATCH This Month

VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Microsoft Information Disclosure Buffer Overflow VMware Horizon Client +1
NVD
CVSS 3.0
6.5
EPSS
1.8%
CVE-2018-10864 MEDIUM This Month

An uncontrolled resource consumption flaw has been discovered in redhat-certification in the way documents are loaded. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Certification
NVD
CVSS 3.0
6.2
EPSS
1.2%
CVE-2018-12587 MEDIUM This Month

A cross-site scripting (XSS) vulnerability was found in valeuraddons German Spelling Dictionary v1.3 (an Opera Browser add-on). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS German Spelling Dictionary
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-10569 MEDIUM This Month

An issue was discovered in Edimax EW-7438RPn Mini v2 before version 1.26. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Edimax Ew 7438Rpn V2 Firmware
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-13392 MEDIUM This Month

Several resources in Atlassian Fisheye and Crucible before version 4.6.0 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in linked issue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Atlassian XSS Crucible Fisheye
NVD
CVSS 3.0
6.1
EPSS
1.7%
CVE-2018-3781 MEDIUM This Month

A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nextcloud XSS Talk
NVD
CVSS 3.0
5.4
EPSS
0.6%
CVE-2018-3780 MEDIUM This Month

A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Nextcloud XSS Nextcloud Server
NVD
CVSS 3.0
5.4
EPSS
0.8%
CVE-2018-14850 MEDIUM This Month

Stored XSS vulnerabilities in Tiki before 18.2, 15.7 and 12.14 allow an authenticated user injecting JavaScript to gain administrator privileges if an administrator opens a wiki page and moves the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Tikiwiki Cms Groupware
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-14849 MEDIUM This Month

Tiki before 18.2, 15.7 and 12.14 has XSS via link attributes, related to lib/core/WikiParser/OutputLink.php and lib/parser/parserlib.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Tikiwiki Cms Groupware
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2018-14781 MEDIUM This Month

Medtronic MiniMed MMT devices when paired with a remote controller and having the “easy bolus” and “remote bolus” options enabled (non-default), are vulnerable to a capture-replay attack. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure 508 Minimed Insulin Pump Firmware 522 Paradigm Real Time Firmware 722 Paradigm Real Time Firmware 523 Paradigm Revel Firmware +5
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2018-10634 MEDIUM This Month

Communications between Medtronic MiniMed MMT pumps and wireless accessories are transmitted in cleartext. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Minimed Paradigm Revel Mmt 523K Firmware Minimed Paradigm Revel Mmt 723K Firmware Minimed Paradigm Revel Mmt 723 Firmware Minimed 530G Mmt 551 Firmware +5
NVD
CVSS 3.1
4.8
EPSS
0.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy