Skip to main content
CVE-2018-1000820 CRITICAL POC PATCH Act Now

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE SSRF Awesome Procedures On Cyper
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-17246 CRITICAL POC THREAT Act Now

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic RCE Kibana Openshift Container Platform
NVD
CVSS 3.0
9.8
EPSS
82.3%
CVE-2018-18871 CRITICAL POC Act Now

Missing password verification in the web interface on Gigaset Maxwell Basic VoIP phones with firmware 2.22.7 would allow a remote attacker (in the same network as the device) to change the admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Maxwell Basic Firmware
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2018-15723 CRITICAL POC Act Now

The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Harmony Hub Firmware
NVD
CVSS 3.0
9.8
EPSS
3.7%
CVE-2018-15721 CRITICAL POC Act Now

The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Harmony Hub Firmware
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2018-15720 CRITICAL POC Act Now

Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Harmony Hub Firmware
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2018-1160 CRITICAL POC THREAT Act Now

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Buffer Overflow Netatalk Router Manager +4
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
86.5%
CVE-2018-1000885 CRITICAL POC Act Now

PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Phkp
NVD
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-1000881 CRITICAL POC Act Now

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Code Injection RCE Server
NVD
CVSS 3.0
9.8
EPSS
3.8%
CVE-2018-1000871 CRITICAL POC Act Now

HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Hoteldruid
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
1.6%
CVE-2018-1000869 CRITICAL POC PATCH Act Now

phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Phpipam
NVD GitHub
CVSS 3.0
9.8
EPSS
1.8%
CVE-2018-1000851 CRITICAL POC Act Now

Copay Bitcoin Wallet version 5.01 to 5.1.0 included. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Copay Bitcoin Wallet
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-1000832 CRITICAL POC Act Now

ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Deserialization SSRF RCE Zoneminder
NVD GitHub
CVSS 3.0
9.8
EPSS
6.4%
CVE-2018-1000827 CRITICAL POC Act Now

Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in user-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Deserialization SSRF RCE Ubilling
NVD GitHub
CVSS 3.0
9.8
EPSS
3.6%
CVE-2018-20305 CRITICAL POC Act Now

D-Link DIR-816 A2 1.10 B05 devices allow arbitrary remote code execution without authentication via the newpass parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Buffer Overflow D-Link Dir 816 A2 Firmware
NVD GitHub
CVSS 3.0
9.8
EPSS
4.1%
CVE-2018-20300 CRITICAL POC Act Now

Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Empirecms
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2018-1000867 HIGH POC PATCH This Week

WeBid version up to current version 1.2.2 contains a SQL Injection vulnerability in All five yourauctions*.php scripts that can result in Database Read via Blind SQL Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi PHP Webid
NVD GitHub
CVSS 3.0
8.8
EPSS
1.5%
CVE-2018-1000858 HIGH POC This Week

GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Mozilla CSRF Information Disclosure Gnupg Ubuntu Linux
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2018-1000857 HIGH POC This Week

log-user-session version 0.7 and earlier contains a Directory Traversal vulnerability in Main SUID-binary /usr/local/bin/log-user-session that can result in User to root privilege escalation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Path Traversal Log User Session
NVD
CVSS 3.1
8.8
EPSS
3.3%
CVE-2018-1000849 HIGH POC PATCH This Week

Alpine Linux version Versions prior to 2.6.10, 2.7.6, and 2.10.1 contains a Other/Unknown vulnerability in apk-tools (Alpine Linux' package manager) that can result in Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Alpine Linux
NVD
CVSS 3.0
8.8
EPSS
3.5%
CVE-2018-1000843 HIGH POC PATCH This Week

Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Luigi
NVD GitHub
CVSS 3.0
8.8
EPSS
0.8%
CVE-2018-1000839 HIGH POC This Week

LH-EHR version REL-2_0_0 contains a Arbitrary File Upload vulnerability in Profile picture upload that can result in Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Librehealth Ehr
NVD GitHub
CVSS 3.0
8.8
EPSS
3.1%
CVE-2018-1000811 HIGH POC THREAT This Week

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Bludit
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
47.6%
CVE-2018-1000812 HIGH POC PATCH This Week

Artica Integria IMS version 5.0 MR56 Package 58, likely earlier versions contains a CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability in Password recovery process, line. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure PHP Integria Ims
NVD GitHub
CVSS 3.0
8.1
EPSS
2.0%
CVE-2018-19134 HIGH POC This Week

In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Ghostscript Debian Linux Enterprise Linux Desktop Enterprise Linux Server +3
NVD
CVSS 3.0
7.8
EPSS
2.9%
CVE-2018-18629 HIGH POC This Week

An issue was discovered in the Keybase command-line client before 2.8.0-20181023124437 for Linux. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Keybase
NVD Exploit-DB
CVSS 3.0
7.8
EPSS
1.5%
CVE-2018-1000876 HIGH POC This Week

binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow RCE Binutils Ubuntu Linux Enterprise Linux Desktop +2
NVD
CVSS 3.1
7.8
EPSS
0.7%
CVE-2018-18442 HIGH POC This Week

D-Link DCS-825L devices with firmware 1.08 do not employ a suitable mechanism to prevent denial-of-service (DoS) attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure D-Link Dcs 825L Firmware
NVD
CVSS 3.0
7.5
EPSS
1.3%
CVE-2018-18441 HIGH POC This Week

D-Link DCS series Wi-Fi cameras expose sensitive information regarding the device configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure D-Link Dcs 936L Firmware Dcs 942L Firmware Dcs 8000Lh Firmware +15
NVD
CVSS 3.0
7.5
EPSS
1.9%
CVE-2018-1000882 HIGH POC PATCH This Week

WeBid version up to current version 1.2.2 contains a Directory Traversal vulnerability in getthumb.php that can result in Arbitrary Image File Read. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal PHP Webid
NVD GitHub
CVSS 3.0
7.5
EPSS
2.4%
CVE-2018-1000850 HIGH POC PATCH This Week

Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Retrofit
NVD GitHub
CVSS 3.0
7.5
EPSS
4.0%
CVE-2018-1000817 HIGH POC PATCH This Week

Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Path Traversal Asset Pipeline
NVD GitHub
CVSS 3.0
7.5
EPSS
2.5%
CVE-2018-20303 HIGH POC PATCH This Week

In pkg/tool/path.go in Gogs before 0.11.82.1218, a directory traversal in the file-upload functionality can allow an attacker to create a file under data/sessions on the server, a similar issue to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Gogs
NVD GitHub
CVSS 3.0
7.5
EPSS
3.2%
CVE-2018-18767 HIGH POC This Week

An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Information Disclosure D-Link Mydlink Baby Camera Monitor Dcs 825L Firmware
NVD
CVSS 3.0
7.0
EPSS
0.6%
CVE-2018-1000873 MEDIUM POC PATCH This Month

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jackson Modules Java8 Clusterware Database Server Global Lifecycle Management Opatch +2
NVD GitHub
CVSS 3.1
6.5
EPSS
4.8%
CVE-2018-1000872 MEDIUM POC PATCH This Month

OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Pykmip
NVD GitHub
CVSS 3.0
6.5
EPSS
1.3%
CVE-2018-1000852 MEDIUM POC PATCH This Month

FreeRDP FreeRDP 2.0.0-rc3 released version before commit 205c612820dac644d665b5bb1cdf437dc5ca01e3 contains a Other/Unknown vulnerability in channels/drdynvc/client/drdynvc_main.c,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Buffer Overflow Freerdp Ubuntu Linux Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
2.7%
CVE-2018-1000840 MEDIUM POC This Month

Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Processing
NVD GitHub
CVSS 3.0
6.5
EPSS
2.2%
CVE-2018-1000814 MEDIUM POC PATCH This Month

aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Aiohttp Session
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2018-20304 MEDIUM POC This Month

wbook_addworksheet in workbook.c in libexcel.a in libexcel 0.01 allows attackers to cause a denial of service (SEGV) via a long second argument. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Denial Of Service Buffer Overflow Libexcel
NVD GitHub
CVSS 3.0
6.5
EPSS
0.9%
CVE-2018-16627 MEDIUM POC This Month

panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Kirby
NVD GitHub
CVSS 3.0
6.1
EPSS
0.8%
CVE-2018-12651 MEDIUM POC This Month

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin 5.4 HRMS Software. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Human Resource Management Software
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-1000874 MEDIUM POC This Month

PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Markdown
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2018-1000868 MEDIUM POC PATCH This Month

WeBid version up to current version 1.2.2 contains a Cross Site Scripting (XSS) vulnerability in user_login.php, register.php that can result in Javascript execution in the user's browser, injection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Webid
NVD GitHub
CVSS 3.0
6.1
EPSS
1.6%
CVE-2018-1000826 MEDIUM POC PATCH This Month

Microweber version <= 1.0.7 contains a Cross Site Scripting (XSS) vulnerability in Admin login form template that can result in Execution of JavaScript code. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Microweber
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
CVE-2018-20302 MEDIUM POC PATCH This Month

An XSS issue was discovered in Steve Pallen Xain before 0.6.2 via the order parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Xain
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-1000838 CRITICAL Act Now

autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Autopsy
NVD GitHub
CVSS 3.0
10.0
EPSS
2.5%
CVE-2018-1000837 CRITICAL Act Now

UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Uml Designer
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2018-1000835 CRITICAL Act Now

KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Keepass Dx
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2018-1000831 CRITICAL Act Now

K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF K 9 Mail
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy