Total
2896 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1896 | 1 Ibm | 1 Connections | 2024-11-21 | N/A |
| IBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host header injection attack that could cause navigation to the attacker's domain. IBM X-Force ID: 152456. | ||||
| CVE-2018-1549 | 1 Ibm | 1 Rational Quality Manager | 2024-11-21 | N/A |
| IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 142658. | ||||
| CVE-2018-1474 | 1 Ibm | 1 Bigfix Platform | 2024-11-21 | N/A |
| IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information. IBM X-force ID: 140692. | ||||
| CVE-2018-1319 | 1 Apache | 1 Allura | 2024-11-21 | N/A |
| In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session. | ||||
| CVE-2018-18996 | 1 Lcds | 1 Laquis Scada | 2024-11-21 | N/A |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper authorization or sanitation, which may allow an attacker to execute remote code on the server. | ||||
| CVE-2018-18992 | 1 Lcds | 1 Laquis Scada | 2024-11-21 | N/A |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper sanitation, which may allow an attacker to execute remote code on the server. | ||||
| CVE-2018-18250 | 1 Icinga | 1 Icinga Web 2 | 2024-11-21 | N/A |
| Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. | ||||
| CVE-2018-18207 | 1 Virtualmin | 1 Virtualmin | 2024-11-21 | N/A |
| Virtualmin 6.03 allows Frame Injection via the settings-editor_read.cgi file parameter. | ||||
| CVE-2018-16763 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 9.8 Critical |
| FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution. | ||||
| CVE-2018-16627 | 1 Getkirby | 1 Kirby | 2024-11-21 | N/A |
| panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. | ||||
| CVE-2018-16492 | 2 Extend Project, Redhat | 2 Extend, Quay | 2024-11-21 | N/A |
| A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype. | ||||
| CVE-2018-16491 | 1 Dreamerslab | 1 Node.extend | 2024-11-21 | N/A |
| A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | ||||
| CVE-2018-16490 | 1 Mpath Project | 1 Mpath | 2024-11-21 | N/A |
| A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | ||||
| CVE-2018-16489 | 1 Just-extend Project | 1 Just-extend | 2024-11-21 | 9.8 Critical |
| A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions. | ||||
| CVE-2018-16486 | 1 Defaults-deep Project | 1 Defaults-deep | 2024-11-21 | N/A |
| A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype. | ||||
| CVE-2018-1000854 | 1 Esigate | 1 Esigate | 2024-11-21 | N/A |
| esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3. | ||||
| CVE-2018-1000193 | 2 Jenkins, Oracle | 2 Jenkins, Communications Cloud Native Core Automated Test Suite | 2024-11-21 | 4.3 Medium |
| A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI. | ||||
| CVE-2018-1000130 | 2 Jolokia, Redhat | 2 Webarchive Agent, Jboss Fuse | 2024-11-21 | N/A |
| A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server. | ||||
| CVE-2017-7848 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Thunderbird, Enterprise Linux and 5 more | 2024-11-21 | N/A |
| RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2. | ||||
| CVE-2017-7846 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Thunderbird, Enterprise Linux and 5 more | 2024-11-21 | N/A |
| It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View -> Feed article -> Website" or in the standard format of "View -> Feed article -> default format". This vulnerability affects Thunderbird < 52.5.2. | ||||