CVE-2017-6192

Buffer overflow in APNGDis 2.8 and earlier allows a remote attackers to cause denial of service and possibly execute arbitrary code via a crafted image containing a malformed chunk size descriptor.

Source: CVE-2017-6192

CVE-2017-6193

Buffer overflow in APNGDis 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted image containing a malformed image size descriptor in the IHDR chunk.

Source: CVE-2017-6193

CVE-2017-16356

Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim’s browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or caption parameter.

Source: CVE-2017-16356

CVE-2018-7046

** DISPUTED ** Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.

Source: CVE-2018-7046

CVE-2016-6272

SQL injection vulnerability in EPIC MyChart allows remote attackers to execute arbitrary SQL commands via the topic parameter to help.asp.

Source: CVE-2016-6272

CVE-2018-6356

An issue was discovered in the Extended Choice Parameter (aka extended-choice-parameter) plugin 0.64 for Jenkins 2.89.3. The PATH_INFO filename is vulnerable to path traversal attacks via .. sequences to the /plugin/extended-choice-parameter/js/ URI.

Source: CVE-2018-6356

CVE-2018-6459

The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_params.c in strongSwan 5.6.1 allows remote attackers to cause a denial of service via a crafted RSASSA-PSS signature that lacks a mask generation function parameter.

Source: CVE-2018-6459

CVE-2018-6940

A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.

Source: CVE-2018-6940

CVE-2018-6941

A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.

Source: CVE-2018-6941

CVE-2018-7205

** DISPUTED ** Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.

Source: CVE-2018-7205