Skip to main content
CVE-2018-17936 CRITICAL POC THREAT Emergency

NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE Nuuo Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
15.3%
CVE-2018-18982 HIGH POC THREAT Act Now

NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi RCE Nuuo Cms
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
60.8%
CVE-2018-13354 CRITICAL POC THREAT Act Now

System command injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "Event" parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
9.8
EPSS
22.9%
CVE-2018-13350 CRITICAL POC THREAT Act Now

SQL injection in logtable.php in TerraMaster TOS version 3.1.03 allows attackers to execute SQL queries via the "Event" parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Terramaster Operating System
NVD
CVSS 3.0
9.8
EPSS
16.7%
CVE-2018-13338 CRITICAL POC THREAT Act Now

System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "username" parameter during user creation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
9.8
EPSS
10.2%
CVE-2018-13336 CRITICAL POC Act Now

System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "pwd" parameter during user creation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
9.8
EPSS
9.1%
CVE-2018-17934 CRITICAL POC THREAT Act Now

NUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Nuuo Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
19.7%
CVE-2018-13316 CRITICAL POC Act Now

System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "subnet" POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3002ru Firmware
NVD
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-13314 CRITICAL POC Act Now

System command injection in formAliasIp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ipAddr" POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3002ru Firmware
NVD
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-13307 CRITICAL POC Act Now

System command injection in fromNtp in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ntpServerIp2" POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3002ru Firmware
NVD
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-13306 CRITICAL POC Act Now

System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "ftpUser" POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection A3002ru Firmware
NVD
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-19595 CRITICAL POC Act Now

PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Pbootcms
NVD
CVSS 3.0
9.8
EPSS
3.9%
CVE-2018-13418 HIGH POC This Week

System command injection in ajaxdata.php in TerraMaster TOS 3.1.03 allows attackers to execute system commands via the "newname" parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
8.8
EPSS
5.2%
CVE-2018-13359 HIGH POC THREAT This Week

Cross-site scripting in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "modgroup" parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Terramaster Operating System
NVD
CVSS 3.0
8.8
EPSS
19.9%
CVE-2018-13358 HIGH POC THREAT This Week

System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands via the "checkName" parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
8.8
EPSS
24.9%
CVE-2018-13356 HIGH POC This Week

Incorrect access control on ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to elevate user permissions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Terramaster Operating System
NVD
CVSS 3.0
8.8
EPSS
2.0%
CVE-2018-13353 HIGH POC This Week

System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute commands via the "checkport" parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
8.8
EPSS
5.9%
CVE-2018-16130 HIGH POC THREAT This Week

System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Miwifi Os
NVD
CVSS 3.0
8.8
EPSS
24.0%
CVE-2018-14893 HIGH POC This Week

A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Zyxel Command Injection Nsa325 V2 Firmware
NVD
CVSS 3.0
8.8
EPSS
3.4%
CVE-2018-14892 HIGH POC This Week

Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Zyxel Nsa325 V2 Firmware
NVD
CVSS 3.0
8.8
EPSS
0.9%
CVE-2018-13023 HIGH POC THREAT This Week

System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Miwifi Os
NVD
CVSS 3.0
8.8
EPSS
24.0%
CVE-2018-13352 HIGH POC This Week

Session Exposure in the web application for TerraMaster TOS version 3.1.03 allows attackers to view active session tokens in a world-readable directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Terramaster Operating System
NVD
CVSS 3.0
7.5
EPSS
1.9%
CVE-2018-13332 HIGH POC This Week

Directory Traversal in the explorer application in TerraMaster TOS version 3.1.03 allows attackers to upload files to arbitrary locations via the "path" URL parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Terramaster Operating System
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2018-13376 HIGH POC This Week

An uninitialized memory buffer leak exists in Fortinet FortiOS 5.6.1 to 5.6.3, 5.4.6 to 5.4.7, 5.2 all versions under web proxy's disclaimer response web pages, potentially causing sensitive data to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Fortinet Fortios
NVD
CVSS 3.0
7.5
EPSS
2.1%
CVE-2018-13330 HIGH POC This Week

System command injection in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute system commands during group creation via the "groupname" parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Terramaster Operating System
NVD
CVSS 3.0
7.2
EPSS
8.1%
CVE-2018-13355 MEDIUM POC This Month

Incorrect access controls in ajaxdata.php in TerraMaster TOS version 3.1.03 allow attackers to create user groups without proper authorization. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Terramaster Operating System
NVD
CVSS 3.0
6.5
EPSS
1.1%
CVE-2018-19609 MEDIUM POC This Month

ShowDoc 2.4.1 allows remote attackers to obtain sensitive information by navigating with a modified page_id, as demonstrated by reading note content, or discovering a username in the JSON data at a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Showdoc
NVD GitHub
CVSS 3.0
6.5
EPSS
1.2%
CVE-2018-19607 MEDIUM POC This Month

Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Exiv2
NVD GitHub
CVSS 3.0
6.5
EPSS
2.2%
CVE-2018-19587 MEDIUM POC This Month

In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Mongoose
NVD GitHub
CVSS 3.0
6.5
EPSS
0.9%
CVE-2018-13360 MEDIUM POC This Month

Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
6.1
EPSS
1.3%
CVE-2018-13349 MEDIUM POC This Month

Cross-site scripting in the web application taskbar in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the user's username. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-13333 MEDIUM POC This Month

Cross-site scripting in File Manager in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript in the permissions window by placing JavaScript in users' usernames. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-13331 MEDIUM POC This Month

Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing users by placing JavaScript in their usernames. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-13334 MEDIUM POC This Month

Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Terramaster Operating System
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-13329 MEDIUM POC This Month

Cross-site scripting in ajaxdata.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "lines" URL parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Terramaster Operating System
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-13022 MEDIUM POC This Month

Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Miwifi Os
NVD
CVSS 3.0
6.1
EPSS
0.7%
CVE-2018-13357 MEDIUM POC This Month

Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing Shared Folders via JavaScript in Shared Folders' names. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2018-13335 MEDIUM POC This Month

Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript when viewing shared folders via their descriptions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
5.4
EPSS
0.9%
CVE-2018-13337 MEDIUM POC This Month

Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Session Fixation Information Disclosure Terramaster Operating System
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2018-13361 MEDIUM POC THREAT This Month

User enumeration in usertable.php in TerraMaster TOS version 3.1.03 allows attackers to list all system users via the "modgroup" parameter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Terramaster Operating System
NVD
CVSS 3.0
5.3
EPSS
16.9%
CVE-2018-13351 MEDIUM POC This Month

Cross-site scripting in Control Panel in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the edit password form. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Terramaster Operating System
NVD
CVSS 3.0
4.8
EPSS
0.9%
CVE-2018-6983 HIGH This Week

VMware Workstation (15.x before 15.0.2 and 14.x before 14.1.5) and Fusion (11.x before 11.0.2 and 10.x before 10.1.5) contain an integer overflow vulnerability in the virtual network devices. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Integer Overflow VMware Buffer Overflow Workstation Fusion
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2018-11766 HIGH PATCH This Week

In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache Hadoop
NVD
CVSS 3.0
8.8
EPSS
3.2%
CVE-2018-9083 HIGH This Week

In System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass System Management Module Firmware
NVD
CVSS 3.0
8.1
EPSS
1.1%
CVE-2018-16094 HIGH This Week

In System Management Module (SMM) versions prior to 1.06, an internal SMM function that retrieves configuration settings is prone to a buffer overflow. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow System Management Module Firmware
NVD
CVSS 3.0
8.1
EPSS
0.9%
CVE-2018-16092 HIGH This Week

In System Management Module (SMM) versions prior to 1.06, the FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure System Management Module Firmware
NVD
CVSS 3.0
8.1
EPSS
0.9%
CVE-2018-16091 HIGH This Week

In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to several buffer overflows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Buffer Overflow System Management Module Firmware
NVD
CVSS 3.0
8.1
EPSS
0.6%
CVE-2018-17953 HIGH This Week

A incorrect variable in a SUSE specific patch for pam_access rule matching in PAM 1.3.0 in openSUSE Leap 15.0 and SUSE Linux Enterprise 15 could lead to pam_access rules not being applied (fail open). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Linux Pam
NVD
CVSS 3.0
8.1
EPSS
1.3%
CVE-2018-6265 HIGH PATCH This Week

NVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 during application installation on Windows 7 in elevated privilege mode, where a local user who initiates a browser. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Microsoft Nvidia Geforce Experience
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2018-6263 HIGH PATCH This Week

NVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 on Windows in which an attacker who has access to a local user account can plant a malicious dynamic link library. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Privilege Escalation Microsoft Nvidia Geforce Experience
NVD
CVSS 3.0
7.8
EPSS
0.3%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy