Total
9170 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-4247 | 1 Apple | 2 Iphone Os, Safari | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. The issue involves the "Safari" component. It allows remote attackers to cause a denial of service (persistent Safari outage) via a crafted web site. | |||||
| CVE-2018-4198 | 1 Apple | 4 Apple Tv, Iphone Os, Mac Os X and 1 more | 2018-07-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "UIKit" component. It allows remote attackers to cause a denial of service via a crafted text file. | |||||
| CVE-2018-4205 | 1 Apple | 1 Safari | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. Safari before 11.1.1 is affected. The issue involves the "Safari" component. It allows remote attackers to spoof the address bar via a crafted web site. | |||||
| CVE-2018-4188 | 2 Apple, Microsoft | 6 Apple Tv, Icloud, Iphone Os and 3 more | 2018-07-17 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar via a crafted web site. | |||||
| CVE-2017-18248 | 1 Apple | 1 Cups | 2018-07-12 | 3.5 LOW | 5.3 MEDIUM |
| The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification. | |||||
| CVE-2017-7672 | 1 Apache | 1 Struts | 2018-07-07 | 4.3 MEDIUM | 5.9 MEDIUM |
| If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. | |||||
| CVE-2017-18123 | 2 Debian, Dokuwiki | 2 Debian Linux, Dokuwiki | 2018-07-06 | 9.3 HIGH | 8.6 HIGH |
| The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs. | |||||
| CVE-2018-11481 | 1 Tp-link | 8 Ipc Tl-ipc223\(p\)-6, Ipc Tl-ipc223\(p\)-6 Firmware, Tl-ipc323k-d and 5 more | 2018-07-05 | 6.5 MEDIUM | 8.8 HIGH |
| TP-LINK IPC TL-IPC223(P)-6, TL-IPC323K-D, TL-IPC325(KP)-*, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters. | |||||
| CVE-2018-5487 | 2 Linux, Netapp | 2 Linux Kernel, Oncommand Unified Manager | 2018-07-05 | 7.5 HIGH | 9.8 CRITICAL |
| NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution. | |||||
| CVE-2018-11315 | 1 Radiothermostat | 4 Ct50, Ct50 Firmware, Ct80 and 1 more | 2018-07-03 | 3.3 LOW | 6.5 MEDIUM |
| The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a home's target temperature to 95 degrees Fahrenheit. This vulnerability might be described as an addendum to CVE-2013-4860. | |||||
| CVE-2015-0899 | 1 Apache | 1 Struts | 2018-06-30 | 5.0 MEDIUM | 7.5 HIGH |
| The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | |||||
| CVE-2016-3090 | 1 Apache | 1 Struts | 2018-06-30 | 6.5 MEDIUM | 8.8 HIGH |
| The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. | |||||
| CVE-2015-5209 | 1 Apache | 1 Struts | 2018-06-30 | 5.0 MEDIUM | 7.5 HIGH |
| Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | |||||
| CVE-2016-8738 | 1 Apache | 1 Struts | 2018-06-30 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. | |||||
| CVE-2015-7519 | 1 Phusionpassenger | 1 Phusion Passenger | 2018-06-28 | 4.3 MEDIUM | 3.7 LOW |
| agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header. | |||||
| CVE-2016-9394 | 1 Jasper Project | 1 Jasper | 2018-06-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file. | |||||
| CVE-2016-9390 | 1 Jasper Project | 1 Jasper | 2018-06-28 | 4.3 MEDIUM | 5.5 MEDIUM |
| The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file. | |||||
| CVE-2018-4943 | 1 Adobe | 1 Push Notifications | 2018-06-28 | 6.8 MEDIUM | 8.8 HIGH |
| Adobe PhoneGap Push Plugin versions 1.8.0 and earlier have an exploitable Same-Origin Method Execution vulnerability. Successful exploitation could lead to JavaScript code execution in the context of the PhoneGap app. | |||||
| CVE-2018-11411 | 1 Dimoncoin | 1 Dimoncoin | 2018-06-26 | 5.0 MEDIUM | 7.5 HIGH |
| The transferFrom function of a smart contract implementation for DimonCoin (FUD), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect. | |||||
| CVE-2017-17158 | 1 Huawei | 14 Berlin-l21hn, Berlin-l21hn Firmware, Prague-al00a and 11 more | 2018-06-26 | 2.1 LOW | 4.6 MEDIUM |
| Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prague-TL00AC01B223 have an information exposure vulnerability. When the user's smart phone connects to the malicious device for charging, an unauthenticated attacker may activate some specific function by sending some specially crafted messages. Due to insufficient input validation of the messages, successful exploit may cause information exposure. | |||||