CVE-2017-15396
A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Source: CVE-2017-15396
CVE-2018-6643
Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter.
Source: CVE-2018-6643
CVE-2018-3908
An exploitable vulnerability exists in the REST parser of video-core’s HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. With the implementation of the on_body callback, defined by sub_41734, an attacker can send an HTTP request to trigger this vulnerability.
Source: CVE-2018-3908
CVE-2018-3895
An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core’s HTTP server of Samsung SmartThings Hub STH-ETH-250 Firmware version 0.20.17. The strncpy call overflows the destination buffer, which has a size of 52 bytes. An attacker can send an arbitrarily long ‘endTime’ value in order to exploit this vulnerability. An attacker can send an HTTP request to trigger this vulnerability.
Source: CVE-2018-3895
CVE-2018-15901
e107 2.1.8 has CSRF in ‘usersettings.php’ with an impact of changing details such as passwords of users including administrators.
Source: CVE-2018-15901
CVE-2018-15884
RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
Source: CVE-2018-15884
CVE-2018-15873
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.
Source: CVE-2018-15873
CVE-2018-15740
Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.
Source: CVE-2018-15740
CVE-2018-15608
Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "AD Delegation" "Help Desk Technicians" screen.
Source: CVE-2018-15608
CVE-2018-14572
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
Source: CVE-2018-14572