Vulnerabilities > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-09-21 | CVE-2018-16784 | XML Injection (aka Blind XPath Injection) vulnerability in Dedecms 5.7 DedeCMS 5.7 SP2 allows XML injection, and resultant remote code execution, via a "<file type='file' name='../" substring. | 7.2 |
| 2018-09-21 | CVE-2018-3876 | Classic Buffer Overflow vulnerability in Samsung Sth-Eth-250 Firmware 0.20.17 An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. | 8.8 |
| 2018-09-21 | CVE-2018-1711 | Incorrect Permission Assignment for Critical Resource vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to to gain privileges due to allowing modification of columns of existing tasks. | 7.8 |
| 2018-09-21 | CVE-2018-1710 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM DB2 10.1/10.5/11.1 IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution. | 7.8 |
| 2018-09-21 | CVE-2018-14645 | Out-of-bounds Read vulnerability in multiple products A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. | 7.5 |
| 2018-09-21 | CVE-2018-17297 | Path Traversal vulnerability in Hutool The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within a ZIP archive. | 7.5 |
| 2018-09-21 | CVE-2018-17293 | NULL Pointer Dereference vulnerability in Webassembly Virtual Machine Project Webassembly Virtual Machine An issue was discovered in WAVM before 2018-09-16. | 8.8 |
| 2018-09-21 | CVE-2018-17283 | SQL Injection vulnerability in Zohocorp Manageengine Opmanager Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. | 7.5 |
| 2018-09-20 | CVE-2018-16752 | Insecure Default Initialization of Resource vulnerability in Linknet-Usa Lw-N605R Firmware 12.20.2.1486 LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. | 8.8 |
| 2018-09-20 | CVE-2018-16282 | OS Command Injection vulnerability in Moxa Edr-810 Firmware 4.2 A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI. | 8.8 |