Search Results (Refine Search)
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2018-1000865 |
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-1000864 |
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 6.5 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000863 |
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jenkins. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 8.2 HIGH V2.0: 6.4 MEDIUM |
CVE-2018-1000862 |
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace browser. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2018-1000861 |
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way. Published: December 10, 2018; 9:29:01 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2016-10502 |
While generating trusted application id, An integer overflow can occur giving the trusted application an invalid identity in Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835 and SDA660. Published: December 10, 2018; 9:29:00 AM -0500 |
V3.0: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2018-20018 |
S-CMS V3.0 has SQL injection via the S_id parameter, as demonstrated by the /1/?type=productinfo&S_id=140 URI. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-20017 |
SEMCMS 3.5 has XSS via the first text box to the SEMCMS_Main.php URI. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2018-20015 |
YzmCMS v5.2 has admin/role/add.html CSRF. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-20012 |
PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=member&c=register&m=index URI. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2018-20011 |
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2018-20010 |
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2018-20009 |
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field. Published: December 10, 2018; 4:29:00 AM -0500 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2018-20006 |
An issue was discovered in PHPok v5.0.055. There is a Stored XSS vulnerability via the title parameter to api.php?c=post&f=save (reachable via the index.php?id=book URI). Published: December 10, 2018; 1:29:00 AM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-20005 |
An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after-free in mxmlWalkNext in mxml-search.c, as demonstrated by mxmldoc. Published: December 10, 2018; 1:29:00 AM -0500 |
V3.0: 5.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-20004 |
An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-based buffer overflow in mxml_write_node in mxml-file.c via vectors involving a double-precision floating point number and the '<order type="real">' substring, as demonstrated by testmxml. Published: December 10, 2018; 1:29:00 AM -0500 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-20002 |
The _bfd_generic_read_minisymbols function in syms.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31, has a memory leak via a crafted ELF file, leading to a denial of service (memory consumption), as demonstrated by nm. Published: December 09, 2018; 9:29:00 PM -0500 |
V3.0: 5.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-20001 |
In Libav 12.3, there is a floating point exception in the range_decode_culshift function (called from range_decode_bits) in libavcodec/apedec.c that will lead to remote denial of service via crafted input. Published: December 09, 2018; 9:29:00 PM -0500 |
V3.0: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-20000 |
Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. Published: December 09, 2018; 9:29:00 PM -0500 |
V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-19991 |
VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230. Published: December 09, 2018; 7:29:00 PM -0500 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |