National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database



The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
 
Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2018-10086 CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunc... read CVE-2018-10086
    Published: April 13, 2018; 01:29:00 AM -04:00

  • CVE-2018-10085 CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of \lib\classes\internal\class.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code,... read CVE-2018-10085
    Published: April 13, 2018; 01:29:00 AM -04:00

  • CVE-2018-10084 CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechani... read CVE-2018-10084
    Published: April 13, 2018; 01:29:00 AM -04:00

  • CVE-2018-10083 CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary file deletion vulnerability in the admin dashboard via directory traversal sequences in the val parameter within a cmd=del request, because code under modules\FilePicker does not restrict th... read CVE-2018-10083
    Published: April 13, 2018; 01:29:00 AM -04:00

  • CVE-2018-10082 CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.tas... read CVE-2018-10082
    Published: April 13, 2018; 01:29:00 AM -04:00

  • CVE-2018-10081 CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the "0e" substring.
    Published: April 13, 2018; 01:29:00 AM -04:00

  • CVE-2018-10061 Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
    Published: April 12, 2018; 12:29:00 PM -04:00

  • CVE-2018-10060 Cacti before 1.1.37 has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
    Published: April 12, 2018; 12:29:00 PM -04:00

  • CVE-2018-10059 Cacti before 1.1.37 has XSS because the get_current_page function in lib/functions.php relies on $_SERVER['PHP_SELF'] instead of $_SERVER['SCRIPT_NAME'] to determine a page name.
    Published: April 12, 2018; 12:29:00 PM -04:00

  • CVE-2018-10033 CMS Made Simple (aka CMSMS) 2.2.7 has Stored XSS in admin/siteprefs.php via the metadata parameter.
    Published: April 11, 2018; 03:29:00 PM -04:00

  • CVE-2018-10032 CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_version parameter.
    Published: April 11, 2018; 03:29:00 PM -04:00

  • CVE-2018-10031 CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/moduleinterface.php.
    Published: April 11, 2018; 03:29:00 PM -04:00

  • CVE-2018-10030 CMS Made Simple (aka CMSMS) 2.2.7 has CSRF in admin/siteprefs.php.
    Published: April 11, 2018; 03:29:00 PM -04:00

  • CVE-2018-10029 CMS Made Simple (aka CMSMS) 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1_name parameter, related to moduledepends, a different vulnerability than CVE-2017-16799.
    Published: April 11, 2018; 03:29:00 PM -04:00

  • CVE-2018-9925 An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request.
    Published: April 10, 2018; 02:29:00 AM -04:00

  • CVE-2018-9924 An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.
    Published: April 10, 2018; 02:29:00 AM -04:00

  • CVE-2018-9923 An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
    Published: April 10, 2018; 02:29:00 AM -04:00

  • CVE-2018-9922 An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname.
    Published: April 10, 2018; 02:29:00 AM -04:00

  • CVE-2017-0751 An elevation of privilege vulnerability in the Qualcomm QCE driver. Product: Android. Versions: Android kernel. Android ID: A-36591162. References: QC-CR#2045061.
    Published: April 05, 2018; 02:29:00 PM -04:00

  • CVE-2017-0748 An information disclosure vulnerability in the Qualcomm audio driver. Product: Android. Versions: Android Kernel. Android ID: A-35764875. References: QC-CR#2029798.
    Published: April 05, 2018; 02:29:00 PM -04:00