Total
4530 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18836 | 1 My-netdata | 1 Netdata | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c. | |||||
| CVE-2018-18835 | 1 Doccms | 1 Doccms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| upload_template() in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file. | |||||
| CVE-2018-18573 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | |||||
| CVE-2018-18461 | 1 Kibokolabs | 1 Arigato Autoresponder And Newsletter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php. | |||||
| CVE-2018-18426 | 1 S-cms | 1 S-cms | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter. | |||||
| CVE-2018-18319 | 1 Asuswrt-merlin Project | 28 Rt-ac1900, Rt-ac1900 Firmware, Rt-ac2900 and 25 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution | |||||
| CVE-2018-18258 | 1 Bagesoft | 1 Bagecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in BageCMS 3.1.3. The attacker can execute arbitrary PHP code on the web server and can read any file on the web server via an index.php?r=admini/template/updateTpl&filename= URI. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2018-18083 | 1 Comsenz | 1 Duomicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in DuomiCMS 3.0. Remote PHP code execution is possible via the search.php searchword parameter because "eval" is used during "if" processing. | |||||
| CVE-2018-17827 | 1 Hisiphp | 1 Hisiphp | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php. | |||||
| CVE-2018-17364 | 1 Otcms | 1 Otcms | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via the accBackupDir parameter. | |||||
| CVE-2018-17207 | 1 Snapcreek | 1 Duplicator | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. | |||||
| CVE-2018-17173 | 1 Lg | 1 Supersign Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail. | |||||
| CVE-2018-17170 | 1 Teamwire | 1 Teamwire | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Grouptime Teamwire Desktop Client 1.5.1 prior to 1.9.0 on Windows allows code injection via a template, leading to remote code execution. All backend versions prior to prod-2018-11-13-15-00-42 are affected. | |||||
| CVE-2018-17134 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field. | |||||
| CVE-2018-17133 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting. | |||||
| CVE-2018-17132 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter. | |||||
| CVE-2018-17131 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field. | |||||
| CVE-2018-17126 | 1 Chshcms | 1 Cscms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php. | |||||
| CVE-2018-17036 | 1 Ucms Project | 1 Ucms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. | |||||