unh3x/just4cve

GitHub

github.com

Releases0

Stars1

cve

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-12996 ↗	Jun 29, 2018Friday, 29 June 2018, 12:29	—	4.3 MEDIUM
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
CVE-2018-12997 ↗	Jun 29, 2018Friday, 29 June 2018, 12:29	7.5 HIGH	5 MEDIUM
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.
CVE-2018-12998 ↗	Jun 29, 2018Friday, 29 June 2018, 12:29	6.1 MEDIUM	4.3 MEDIUM
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
CVE-2018-12999 ↗	Jun 29, 2018Friday, 29 June 2018, 12:29	—	6.4 MEDIUM
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.
CVE-2018-12055 ↗	Jun 8, 2018Friday, 8 June 2018, 11:29	—	7.5 HIGH
Multiple SQL Injections exist in PHP Scripts Mall Schools Alert Management Script via crafted POST data in contact_us.php, faq.php, about.php, photo_gallery.php, privacy.php, and so on.
CVE-2018-12051 ↗	Jun 8, 2018Friday, 8 June 2018, 11:29	—	7.5 HIGH
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script via $_FILE in /webmasterst/general.php, as demonstrated by a .php file with the image/jpeg content type.
CVE-2018-12052 ↗	Jun 8, 2018Friday, 8 June 2018, 11:29	—	7.5 HIGH
SQL Injection exists in PHP Scripts Mall Schools Alert Management Script via the q Parameter in get_sec.php.
CVE-2018-12053 ↗	Jun 8, 2018Friday, 8 June 2018, 11:29	—	6.4 MEDIUM
Arbitrary File Deletion exists in PHP Scripts Mall Schools Alert Management Script via the img parameter in delete_img.php by using directory traversal.
CVE-2018-12054 ↗	Jun 8, 2018Friday, 8 June 2018, 11:29	—	5 MEDIUM
Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal.
CVE-2018-11523 ↗	May 29, 2018Tuesday, 29 May 2018, 07:29	—	7.5 HIGH
upload.php on NUUO NVRmini 2 devices allows Arbitrary File Upload, such as upload of .php files.