Vulnerabilities > High
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-07-24 | CVE-2018-14583 | Cross-Site Request Forgery (CSRF) vulnerability in Xyhcms 3.5 xyhai.php?s=/Auth/addUser in XYHCMS 3.5 allows CSRF to add a background administrator account. | 8.8 |
2018-07-24 | CVE-2018-14582 | Cross-Site Request Forgery (CSRF) vulnerability in Bagesoft Bagecms 3.1.3 index.php?r=admini/admin/create in BageCMS V3.1.3 allows CSRF to add a background administrator account. | 8.8 |
2018-07-24 | CVE-2018-5387 | Improper Verification of Cryptographic Signature vulnerability in Wizkunde Samlbase Wizkunde SAMLBase may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. | 7.5 |
2018-07-24 | CVE-2018-5386 | Information Exposure vulnerability in Navarino Infinity 2.2 Some Navarino Infinity functions, up to version 2.2, placed in the URL can bypass any authentication mechanism leading to an information leak. | 7.5 |
2018-07-24 | CVE-2018-5385 | Session Fixation vulnerability in Navarino Infinity 2.2 Navarino Infinity is prone to session fixation attacks. | 8.8 |
2018-07-24 | CVE-2017-3224 | Insufficient Verification of Data Authenticity vulnerability in multiple products Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. | 8.2 |
2018-07-24 | CVE-2017-3217 | Missing Authentication for Critical Function vulnerability in Calamp products CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text message) interface that can be deployed where no password is configured for this interface by the integrator / reseller. | 8.1 |
2018-07-24 | CVE-2017-3210 | Configuration vulnerability in multiple products Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. | 7.8 |
2018-07-24 | CVE-2017-3209 | Incorrect Default Permissions vulnerability in Dbpower U818A Firmware The DBPOWER U818A WIFI quadcopter drone provides FTP access over its own local access point, and allows full file permissions to the anonymous user. | 8.1 |
2018-07-24 | CVE-2017-3189 | Unrestricted Upload of File with Dangerous Type vulnerability in Dotcms The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. | 8.1 |