Vulnerabilities > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-09 | CVE-2018-0554 | Missing Authentication for Critical Function vulnerability in Buffalo Wzr-1750Dhp2 Firmware 2.28/2.30 Buffalo WZR-1750DHP2 Ver.2.30 and earlier allows an attacker to bypass authentication and execute arbitrary commands on the device via unspecified vectors. | 8.8 |
| 2018-04-09 | CVE-2018-0553 | Improper Certificate Validation vulnerability in Glamo Iremocon Wifi 4.1.7 The iRemoconWiFi App for Android version 4.1.7 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 7.4 |
| 2018-04-09 | CVE-2018-9856 | Cross-Site Request Forgery (CSRF) vulnerability in Kotti Project Kotti Kotti before 1.3.2 and 2.x before 2.0.0b2 has CSRF in the local roles implementation, as demonstrated by triggering a permission change via a /admin-document/@@share request. | 8.8 |
| 2018-04-08 | CVE-2018-9851 | Path Traversal vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to read any file via a modified pathname in an Admin-Tpl request, as demonstrated by use of '|' instead of '/' as a directory separator, in conjunction with a ".." sequence. | 7.5 |
| 2018-04-08 | CVE-2018-9850 | Path Traversal vulnerability in Gxlcms QY 1.0.0713 In Gxlcms QY v1.0.0713, Lib\Lib\Action\Admin\DataAction.class.php allows remote attackers to delete any file via directory traversal sequences in the id parameter of an Admin-Data-del request. | 7.5 |
| 2018-04-07 | CVE-2018-9846 | Improper Input Validation vulnerability in multiple products In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. | 8.8 |
| 2018-04-07 | CVE-2018-9327 | Improper Input Validation vulnerability in Etherpad Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. | 8.1 |
| 2018-04-07 | CVE-2018-9325 | Information Exposure vulnerability in Etherpad Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all the existing pads of an instance without knowledge of pad names. | 7.5 |
| 2018-04-07 | CVE-2018-9841 | Out-of-bounds Read vulnerability in Ffmpeg The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via a long filename. | 8.8 |
| 2018-04-07 | CVE-2018-9331 | Path Traversal vulnerability in Zzcms 8.2 An issue was discovered in zzcms 8.2. | 7.5 |