Skip to main content
CVE-2018-1000820 CRITICAL POC PATCH Act Now

neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service XXE SSRF Awesome Procedures On Cyper
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-17246 CRITICAL POC THREAT Act Now

Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic RCE Kibana Openshift Container Platform
NVD
CVSS 3.0
9.8
EPSS
82.3%
CVE-2018-18871 CRITICAL POC Act Now

Missing password verification in the web interface on Gigaset Maxwell Basic VoIP phones with firmware 2.22.7 would allow a remote attacker (in the same network as the device) to change the admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Maxwell Basic Firmware
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2018-15723 CRITICAL POC Act Now

The Logitech Harmony Hub before version 4.15.206 is vulnerable to application level command injection via crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Harmony Hub Firmware
NVD
CVSS 3.0
9.8
EPSS
3.7%
CVE-2018-15721 CRITICAL POC Act Now

The XMPP server in Logitech Harmony Hub before version 4.15.206 is vulnerable to authentication bypass via a crafted XMPP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Harmony Hub Firmware
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2018-15720 CRITICAL POC Act Now

Logitech Harmony Hub before version 4.15.206 contained two hard-coded accounts in the XMPP server that gave remote users access to the local API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Harmony Hub Firmware
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2018-1160 CRITICAL POC THREAT Act Now

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Buffer Overflow Netatalk Router Manager +4
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
86.5%
CVE-2018-1000885 CRITICAL POC Act Now

PHKP version including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b contains a Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Phkp
NVD
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-1000881 CRITICAL POC Act Now

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Code Injection RCE Server
NVD
CVSS 3.0
9.8
EPSS
3.8%
CVE-2018-1000871 CRITICAL POC Act Now

HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Hoteldruid
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
1.6%
CVE-2018-1000869 CRITICAL POC PATCH Act Now

phpIPAM version 1.3.2 contains a CWE-89 vulnerability in /app/admin/nat/item-add-submit.php that can result in SQL Injection.. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Phpipam
NVD GitHub
CVSS 3.0
9.8
EPSS
1.8%
CVE-2018-1000851 CRITICAL POC Act Now

Copay Bitcoin Wallet version 5.01 to 5.1.0 included. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Copay Bitcoin Wallet
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-1000832 CRITICAL POC Act Now

ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Deserialization SSRF RCE Zoneminder
NVD GitHub
CVSS 3.0
9.8
EPSS
6.4%
CVE-2018-1000827 CRITICAL POC Act Now

Ubilling version <= 0.9.2 contains a Other/Unknown vulnerability in user-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Deserialization SSRF RCE Ubilling
NVD GitHub
CVSS 3.0
9.8
EPSS
3.6%
CVE-2018-20305 CRITICAL POC Act Now

D-Link DIR-816 A2 1.10 B05 devices allow arbitrary remote code execution without authentication via the newpass parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption RCE Buffer Overflow D-Link Dir 816 A2 Firmware
NVD GitHub
CVSS 3.0
9.8
EPSS
4.1%
CVE-2018-20300 CRITICAL POC Act Now

Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Empirecms
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2018-1000838 CRITICAL Act Now

autopsy version <= 4.9.0 contains a XML External Entity (XXE) vulnerability in CaseMetadata XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Autopsy
NVD GitHub
CVSS 3.0
10.0
EPSS
2.5%
CVE-2018-1000837 CRITICAL Act Now

UML Designer version <= 8.0.0 contains a XML External Entity (XXE) vulnerability in XML parser for plugins that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Uml Designer
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2018-1000835 CRITICAL Act Now

KeePassDX version <= 2.5.0.0beta17 contains a XML External Entity (XXE) vulnerability in kdbx file parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Keepass Dx
NVD GitHub
CVSS 3.1
10.0
EPSS
1.8%
CVE-2018-1000831 CRITICAL Act Now

K9Mail version <= v5.600 contains a XML External Entity (XXE) vulnerability in WebDAV response parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF K 9 Mail
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000830 CRITICAL Act Now

XR3Player version <= V3.124 contains a XML External Entity (XXE) vulnerability in Playlist parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Xr3Player
NVD GitHub
CVSS 3.0
10.0
EPSS
1.5%
CVE-2018-1000825 CRITICAL Act Now

FreeCol version <= nightly-2018-08-22 contains a XML External Entity (XXE) vulnerability in FreeColXMLReader parser that can result in Disclosure of confidential data, denial of service, SSRF, port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Freecol
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000823 CRITICAL PATCH Act Now

exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Exist
NVD GitHub
CVSS 3.1
10.0
EPSS
1.9%
CVE-2018-1000822 CRITICAL PATCH Act Now

codelibs fess version before commit faa265b contains a XML External Entity (XXE) vulnerability in GSA XML file parser that can result in Disclosure of confidential data, denial of service, SSRF, port. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service XXE SSRF Fess
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-1000821 CRITICAL Act Now

MicroMathematics version before commit 5c05ac8 contains a XML External Entity (XXE) vulnerability in SMathStudio files that can result in Disclosure of confidential data, denial of service, SSRF,. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE SSRF Micromathematics
NVD GitHub
CVSS 3.0
10.0
EPSS
1.9%
CVE-2018-19240 CRITICAL Act Now

Buffer overflow in network.cgi on TRENDnet TV-IP110WN V1.2.2 build 68, V1.2.2.65, and V1.2.2 build 64 and TV-IP121WN V1.2.2 build 28 devices allows attackers to hijack the control flow to any. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Tv Ip110Wn Firmware Tv Ip121Wn Firmware
NVD
CVSS 3.0
9.8
EPSS
3.7%
CVE-2018-18399 CRITICAL Act Now

SQL injection vulnerability in the "ContentPlaceHolder1_uxTitle" component in ArchiveNews.aspx in jco.ir KARMA 6.0.0 allows a remote attacker to execute arbitrary SQL commands via the "id" parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Karma
NVD
CVSS 3.0
9.8
EPSS
2.8%
CVE-2018-18388 CRITICAL Act Now

eScan Agent Application (MWAGENT.EXE) 4.0.2.98 in MicroWorld Technologies eScan 14.0 allows remote or local attackers to execute arbitrary commands by sending a carefully crafted payload to TCP port. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Escan Anti Virus
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2018-17245 CRITICAL Act Now

Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.0
9.8
EPSS
1.3%
CVE-2018-1000884 CRITICAL PATCH Act Now

Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 -- any release prior to 0.9.8-18 contains a CWE-208 / Information Exposure Through Timing Discrepancy vulnerability in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure PHP Vesta Control Panel
NVD GitHub
CVSS 3.0
9.8
EPSS
1.3%
CVE-2018-1000875 CRITICAL Act Now

Berkeley Open Infrastructure for Network Computing BOINC Server and Website Code version 0.9-1.0.2 contains a CWE-302: Authentication Bypass by Assumed-Immutable Data vulnerability in Website Terms. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Boinc Server
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2018-1000854 CRITICAL PATCH Act Now

esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Esigate
NVD GitHub
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-1000833 CRITICAL PATCH Act Now

ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Denial Of Service Deserialization SSRF RCE Zoneminder
NVD GitHub
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-1000824 CRITICAL Act Now

MegaMek version < v0.45.1 contains a Other/Unknown vulnerability in Object Stream Connection that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Deserialization SSRF RCE Megamek
NVD GitHub
CVSS 3.0
9.8
EPSS
3.2%
CVE-2018-1784 CRITICAL PATCH Act Now

IBM API Connect 5.0.0.0 and 5.0.8.4 is affected by a NoSQL Injection in MongoDB connector for the LoopBack framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection IBM Api Connect
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2018-1000844 CRITICAL PATCH Act Now

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE SSRF Retrofit
NVD GitHub
CVSS 3.0
9.1
EPSS
2.2%
CVE-2018-1000836 CRITICAL Act Now

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Bw Calendar Engine
NVD GitHub
CVSS 3.0
9.0
EPSS
1.1%
CVE-2018-1000834 CRITICAL Act Now

runelite version <= runelite-parent-1.4.23 contains a XML External Entity (XXE) vulnerability in Man in the middle runscape services call that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Runelite
NVD GitHub
CVSS 3.0
9.0
EPSS
1.4%
CVE-2018-1000829 CRITICAL Act Now

Anyplace version before commit 80359b4 contains a XML External Entity (XXE) vulnerability in Man in the middle on map API call that can result in Disclosure of confidential data, denial of service,. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Anyplace
NVD GitHub
CVSS 3.0
9.0
EPSS
1.3%
CVE-2018-1000828 CRITICAL Act Now

FrostWire version <= frostwire-desktop-6.7.4-build-272 contains a XML External Entity (XXE) vulnerability in Man in the middle on update that can result in Disclosure of confidential data, denial of. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service XXE SSRF Frostwire
NVD GitHub
CVSS 3.1
9.0
EPSS
1.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy