CVEs from 2018
Total
2,887
critical
critical 238
high
high 329
medium
medium 259
low
low 39
% Critical
8.2%
% with KEV
3.1%
% with exploit
9.0%
Top vendors
- intel 1,561
- schneider-electric 43
- siemens 42
- rockwellautomation 16
- echelon 15
- redhat 12
- oracle 9
- mitel 8
Top products
- core_i7 379
- core_i5 375
- core_i3 242
- xeon_e5 82
- xeon_e7 62
- xeon_e3 58
- xeon_gold 33
- atom_z 30
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-12181 | medium | — | 5.5 | 7y ago | RHSA-2019:3338: edk2 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-15518 | medium | — | 5.5 | 7y ago | RHSA-2019:3390: qt5-qtbase security and bug fix update (Moderate) | |||
| CVE-2018-12900 | medium | — | 5.5 | 7y ago | RHSA-2019:3419: libtiff security update (Moderate) | |||
| CVE-2018-19873 | medium | — | 5.5 | 7y ago | RHSA-2019:3390: qt5-qtbase security and bug fix update (Moderate) | |||
| CVE-2018-1000877 | medium | — | 5.5 | 7y ago | RHSA-2019:3698: libarchive security and bug fix update (Moderate) | |||
| CVE-2018-19870 | medium | — | 5.5 | 7y ago | RHSA-2019:3390: qt5-qtbase security and bug fix update (Moderate) | |||
| CVE-2018-12121 | medium | — | 5.5 | 7y ago | RHSA-2019:3497: http-parser security and bug fix update (Moderate) | |||
| CVE-2018-20685 | medium | — | 5.5 | 7y ago | In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the tar… | |||
| CVE-2018-16890 | medium | — | 5.5 | 7y ago | libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does… | |||
| CVE-2018-20534 | medium | — | 5.5 | 7y ago | There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects t… | |||
| CVE-2018-20483 | medium | — | 5.5 | 7y ago | RHSA-2019:3701: curl security and bug fix update (Moderate) | |||
| CVE-2018-1000878 | medium | — | 5.5 | 7y ago | RHSA-2019:3698: libarchive security and bug fix update (Moderate) | |||
| CVE-2018-20551 | medium | — | 5.5 | 7y ago | A reachable Object::getString assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Anno… | |||
| CVE-2018-18897 | medium | — | 5.5 | 7y ago | An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo. | |||
| CVE-2018-20650 | medium | — | 5.5 | 7y ago | A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec clas… | |||
| CVE-2018-20481 | medium | — | 5.5 | 7y ago | XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when… | |||
| CVE-2018-20662 | medium | — | 5.5 | 7y ago | In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by craft… | |||
| CVE-2018-18508 | medium | — | 5.5 | 7y ago | In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service. | |||
| CVE-2018-19800 | medium | — | 5.5 | 7y ago | aubio v0.4.0 to v0.4.8 has a Buffer Overflow in new_aubio_tempo. | |||
| CVE-2018-19802 | medium | — | 5.5 | 7y ago | aubio v0.4.0 to v0.4.8 has a new_aubio_onset NULL pointer dereference. | |||
| CVE-2018-19801 | medium | — | 5.5 | 7y ago | aubio v0.4.0 to v0.4.8 has a NULL pointer dereference in new_aubio_filterbank via invalid n_filters. | |||
| CVE-2018-20677 | medium | — | 5.5 | 8y ago | RHSA-2020:4670: idm:DL1 and idm:client security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-20676 | medium | — | 5.5 | 8y ago | RHSA-2020:4670: idm:DL1 and idm:client security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-7536 | medium | — | 5.5 | 8y ago | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastroph… | |||
| CVE-2018-7537 | medium | — | 5.5 | 8y ago | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they w… | |||
| CVE-2018-20060 | medium | — | 5.5 | 8y ago | RHSA-2020:1916: python-pip security update (Moderate) | |||
| CVE-2018-20097 | medium | — | 5.5 | 8y ago | RHSA-2020:1577: exiv2 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-20099 | medium | — | 5.5 | 8y ago | RHSA-2020:1577: exiv2 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-20096 | medium | — | 5.5 | 8y ago | RHSA-2020:1577: exiv2 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-20098 | medium | — | 5.5 | 8y ago | RHSA-2020:1577: exiv2 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-19352 | medium | — | 5.5 | 8y ago | Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely. | |||
| CVE-2018-19351 | medium | — | 5.5 | 8y ago | Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can e… | |||
| CVE-2018-18074 | medium | — | 5.5 | 8y ago | RHSA-2020:1916: python-pip security update (Moderate) | |||
| CVE-2018-3750 | medium | — | 5.5 | 8y ago | RHSA-2021:0549: nodejs:12 security update (Moderate) | |||
| CVE-2018-14574 | medium | — | 5.5 | 8y ago | django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. | |||
| CVE-2018-14404 | medium | — | 5.5 | 8y ago | RHSA-2020:1827: libxml2 security update (Moderate) | |||
| CVE-2018-6188 | medium | — | 5.5 | 8y ago | django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from th… | |||
| CVE-2018-16984 | medium | — | 5.5 | 8y ago | An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display a… | |||
| CVE-2018-1000559 | medium | — | 5.5 | 8y ago | qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via… | |||
| CVE-2018-14042 | medium | — | 5.5 | 8y ago | RHSA-2020:4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-1999024 | medium | — | 5.5 | 8y ago | MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. Th… | |||
| CVE-2018-3740 | medium | — | 5.5 | 8y ago | A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element. | |||
| CVE-2018-25384 | medium | 5.4 | 5.4 | 6d ago | Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can pos… | |||
| CVE-2018-25334 | medium | 5.4 | 5.4 | 18d ago | Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but… | |||
| CVE-2018-7795 | medium | 5.4 | 5.4 | 8y ago | A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting … | |||
| CVE-2018-25435 | medium | 5.3 | 5.3 | 2d ago | ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate cu… | |||
| CVE-2018-25397 | medium | 5.3 | 5.3 | 6d ago | PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated … | |||
| CVE-2018-25387 | medium | 5.3 | 5.3 | 6d ago | HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft… | |||
| CVE-2018-25370 | medium | 5.3 | 5.3 | 10d ago | Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious H… | |||
| CVE-2018-25336 | medium | 5.3 | 5.3 | 18d ago | jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML form… | |||
| CVE-2018-25327 | medium | 5.3 | 5.3 | 18d ago | Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTM… | |||
| CVE-2018-25298 | medium | 5.3 | 5.3 | 1mo ago | Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attacker… | |||
| CVE-2018-10626 | medium | 4.4 | 4.4 | 8y ago | Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired … | |||
| CVE-2018-25363 | medium | 4.3 | 4.3 | 10d ago | Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms t… | |||
| CVE-2018-25354 | medium | 4.3 | 4.3 | 12d ago | Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pag… | |||
| CVE-2018-25343 | medium | 4.3 | 4.3 | 12d ago | Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft H… | |||
| CVE-2018-25337 | medium | 4.3 | 4.3 | 18d ago | Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML fo… | |||
| CVE-2018-25321 | medium | 4.3 | 4.3 | 18d ago | TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attacker… | |||
| CVE-2018-25310 | medium | 4.3 | 4.3 | 1mo ago | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cros… | |||
| CVE-2018-0737 | low | — | 2.5 | — | The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key gen… | |||
| CVE-2018-7174 | low | — | 2.5 | — | An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref allows an attacker to cause denial of service because loop detection exists only for tables, not streams. | |||
| CVE-2018-7454 | low | — | 2.5 | — | A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | |||
| CVE-2018-9234 | low | — | 2.5 | — | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with acce… | |||
| CVE-2018-7453 | low | — | 2.5 | — | Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml. | |||
| CVE-2018-7452 | low | — | 2.5 | — | A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | |||
| CVE-2018-0502 | low | — | 2.5 | — | insufficient validation in zsh | |||
| CVE-2018-13259 | low | — | 2.5 | — | insufficient validation in zsh | |||
| CVE-2018-6942 | low | — | 2.5 | — | An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file. | |||
| CVE-2018-7173 | low | — | 2.5 | — | A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding. | |||
| CVE-2018-12558 | low | — | 2.5 | — | The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that c… | |||
| CVE-2018-18445 | low | — | 2.5 | — | In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min… | |||
| CVE-2018-1071 | low | — | 2.5 | — | zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service. | |||
| CVE-2018-9055 | low | — | 2.5 | — | denial of service in jasper | |||
| CVE-2018-7175 | low | — | 2.5 | — | An issue was discovered in xpdf 4.00. A NULL pointer dereference in readCodestream allows an attacker to cause denial of service via a JPX image with zero components. | |||
| CVE-2018-7455 | low | — | 2.5 | — | An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | |||
| CVE-2018-0732 | low | — | 2.5 | — | During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long pe… | |||
| CVE-2018-5388 | low | — | 2.5 | — | In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. | |||
| CVE-2018-8956 | low | — | 2.5 | — | ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packet… | |||
| CVE-2018-20225 | low | — | 2.5 | — | arbitrary code execution in python-pip | |||
| CVE-2018-20482 | low | — | 2.5 | — | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c)… | |||
| CVE-2018-12699 | low | — | 2.5 | 2y ago | RHSA-2024:9689: binutils security update (Low) | |||
| CVE-2018-20673 | low | — | 2.5 | 5y ago | RHSA-2021:4386: gcc security and bug fix update (Low) | |||
| CVE-2018-10896 | low | — | 2.5 | 6y ago | RHSA-2020:3050: cloud-init security, bug fix, and enhancement update (Low) | |||
| CVE-2018-7263 | low | — | 2.5 | 6y ago | RHSA-2020:1631: GStreamer, libmad, and SDL security, bug fix, and enhancement update (Low) | |||
| CVE-2018-19840 | low | — | 2.5 | 6y ago | RHSA-2020:1581: wavpack security update (Low) | |||
| CVE-2018-19841 | low | — | 2.5 | 6y ago | RHSA-2020:1581: wavpack security update (Low) | |||
| CVE-2018-19519 | low | — | 2.5 | 6y ago | RHSA-2020:1604: tcpdump security update (Low) | |||
| CVE-2018-10910 | low | — | 2.5 | 6y ago | RHSA-2020:1912: bluez security update (Low) | |||
| CVE-2018-10393 | low | — | 2.5 | 7y ago | RHSA-2019:3703: libvorbis security update (Low) | |||
| CVE-2018-10392 | low | — | 2.5 | 7y ago | RHSA-2019:3703: libvorbis security update (Low) | |||
| CVE-2018-18751 | low | — | 2.5 | 7y ago | RHSA-2019:3643: gettext security update (Low) | |||
| CVE-2018-5745 | low | — | 2.5 | 7y ago | RHSA-2019:3552: bind security and bug fix update (Low) | |||
| CVE-2018-6616 | low | — | 2.5 | 7y ago | RHBA-2019:3408: openjpeg2 bug fix and enhancement update (Low) | |||
| CVE-2018-20657 | low | — | 2.5 | 7y ago | RHSA-2019:3352: gdb security, bug fix, and enhancement update (Low) | |||
| CVE-2018-16838 | low | — | 2.5 | 7y ago | RHSA-2019:3651: sssd security, bug fix, and enhancement update (Low) | |||
| CVE-2018-10932 | low | — | 2.5 | 7y ago | RHSA-2019:3673: lldpad security and bug fix update (Low) | |||
| CVE-2018-0734 | low | — | 2.5 | 7y ago | RHSA-2019:3700: openssl security, bug fix, and enhancement update (Low) | |||
| CVE-2018-0735 | low | — | 2.5 | 7y ago | RHSA-2019:3700: openssl security, bug fix, and enhancement update (Low) |