CVEs from 2018
Total
2,841
critical
critical 238
high
high 331
medium
medium 263
low
low 39
% Critical
8.4%
% with KEV
3.1%
% with exploit
9.1%
Top vendors
- intel 1,561
- schneider-electric 43
- siemens 42
- rockwellautomation 16
- echelon 15
- redhat 12
- oracle 9
- arm 9
Top products
- core_i7 379
- core_i5 375
- core_i3 242
- xeon_e5 82
- xeon_e7 62
- xeon_e3 58
- xeon_gold 33
- atom_z 30
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1098 | unknown | — | — | 4y ago | A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done wit… | |||
| CVE-2018-1002207 | unknown | — | — | 4y ago | Arbitrary File Write via Archive Extraction in mholt/archiver in github.com/mholt/archiver | |||
| CVE-2018-1000803 | unknown | — | — | 4y ago | Gitea Exposes Private Email Addresses in github.com/go-gitea/gitea | |||
| CVE-2018-21234 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Jodd | |||
| CVE-2018-20301 | unknown | — | — | 4y ago | Permissive parameters and privilege escalation | |||
| CVE-2018-10125 | unknown | — | — | 4y ago | Cross-site Scripting in Contao | |||
| CVE-2018-11764 | unknown | — | — | 4y ago | Authentication bypass in Apache Hadoop | |||
| CVE-2018-11802 | unknown | — | — | 4y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2018-1107 | unknown | — | — | 5y ago | Regular expression deinal of service (ReDoS) in is-my-json-valid | |||
| CVE-2018-1109 | unknown | — | — | 5y ago | A vulnerability was found in Braces versions 2.2.0 and above, prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. | |||
| CVE-2018-16153 | unknown | — | — | 5y ago | Opencast publishes global system account credentials | |||
| CVE-2018-5268 | unknown | — | — | 5y ago | Out-of-bounds Write in OpenCV. | |||
| CVE-2018-5269 | unknown | — | — | 5y ago | Reachable Assertion in OpenCV. | |||
| CVE-2018-3718 | unknown | — | — | 5y ago | vercel/serve allows access to restricted files if filename is URL encoded. | |||
| CVE-2018-19184 | unknown | — | — | 5y ago | Go Ethereum Denial of Service in github.com/ethereum/go-ethereum | |||
| CVE-2018-15178 | unknown | — | — | 5y ago | Open Redirect in gogs.io/gogs | |||
| CVE-2018-20321 | unknown | — | — | 5y ago | Access Control Bypass in github.com/rancher/rancher | |||
| CVE-2018-6558 | unknown | — | — | 5y ago | The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a… | |||
| CVE-2018-10704 | unknown | — | — | 5y ago | Cross-site Scripting in yii2cmf | |||
| CVE-2018-16733 | unknown | — | — | 5y ago | Go Ethereum Improper Input Validation in github.com/ethereum/go-ethereum | |||
| CVE-2018-17419 | unknown | — | — | 5y ago | Denial of service via malformed zone file in github.com/miekg/dns | |||
| CVE-2018-11765 | unknown | — | — | 5y ago | Improper Authentication in Apache Hadoop | |||
| CVE-2018-8292 | unknown | — | — | 5y ago | .NET Core Information Disclosure | |||
| CVE-2018-25007 | unknown | — | — | 5y ago | Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11 | |||
| CVE-2018-14550 | unknown | — | — | 5y ago | Out-of-bounds write in libpng | |||
| CVE-2018-7667 | unknown | — | — | 5y ago | vrana/adminer vulnerable to SSRF by connecting to privileged ports | |||
| CVE-2018-1285 | unknown | — | — | 5y ago | Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled … | |||
| CVE-2018-8092 | unknown | — | — | 6y ago | CSV Injection vulnerability with exported contact lists in Mautic | |||
| CVE-2018-11200 | unknown | — | — | 6y ago | XSS vulnerability in company name field in Mautic | |||
| CVE-2018-10189 | unknown | — | — | 6y ago | Mautic Sessions could be hijacked due to tracking contacts by an auto-incremented ID | |||
| CVE-2018-8071 | unknown | — | — | 6y ago | XSS vulnerability in theme config file in Mautic | |||
| CVE-2018-11198 | unknown | — | — | 6y ago | XSS vulnerability in Author URL of themes in Mautic | |||
| CVE-2018-17145 | unknown | — | — | 6y ago | Bitcoin Inventory Out-of-Memory Denial-of-Service Attack (CVE-2018-17145) | |||
| CVE-2018-25083 | unknown | — | — | 6y ago | pullit vulnerable to command injection | |||
| CVE-2018-14730 | unknown | — | — | 6y ago | Missing Origin Validation in browserify-hmr | |||
| CVE-2018-3757 | unknown | — | — | 6y ago | Command Injection in pdf-image | |||
| CVE-2018-3727 | unknown | — | — | 6y ago | Path Traversal in 626 | |||
| CVE-2018-21036 | unknown | — | — | 6y ago | Improper Input Validation in sails-hook-sockets | |||
| CVE-2018-5968 | unknown | — | — | 6y ago | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization fl… | |||
| CVE-2018-10237 | unknown | — | — | 6y ago | Denial of Service in Google Guava | |||
| CVE-2018-15756 | unknown | — | — | 6y ago | Denial of Service in Spring Framework | |||
| CVE-2018-12023 | unknown | — | — | 6y ago | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JD… | |||
| CVE-2018-21233 | unknown | — | — | 6y ago | TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decod… | |||
| CVE-2018-19296 | unknown | — | — | 6y ago | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | |||
| CVE-2018-11768 | unknown | — | — | 7y ago | user/group information can be corrupted across storing in fsimage and reading back from fsimage | |||
| CVE-2018-21030 | unknown | — | — | 7y ago | Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document. | |||
| CVE-2018-20858 | unknown | — | — | 7y ago | Recommender before 2018-07-18 allows XSS. | |||
| CVE-2018-20975 | unknown | — | — | 7y ago | Cross-site scripting in fat_free_crm | |||
| CVE-2018-11779 | unknown | — | — | 7y ago | Deserialization of Untrusted Data in Apache Storm | |||
| CVE-2018-20857 | unknown | — | — | 7y ago | samlr XML nodes comment attack | |||
| CVE-2018-15890 | unknown | — | — | 7y ago | Deserialization of Untrusted Data in EthereumJ | |||
| CVE-2018-11307 | unknown | — | — | 7y ago | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11… | |||
| CVE-2018-21270 | unknown | — | — | 7y ago | Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when us… | |||
| CVE-2018-8029 | unknown | — | — | 7y ago | Privilege escalation vulnerability in Apache Hadoop | |||
| CVE-2018-19048 | unknown | — | — | 7y ago | Cross-Site Scripting in simditor | |||
| CVE-2018-17201 | unknown | — | — | 7y ago | Improper Input Validation in Apache Sanselan | |||
| CVE-2018-17202 | unknown | — | — | 7y ago | Infinite Loop in Apache Sanselan | |||
| CVE-2018-8035 | unknown | — | — | 7y ago | Cross-site Scripting in Apache UIMA | |||
| CVE-2018-20834 | unknown | — | — | 7y ago | A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already e… | |||
| CVE-2018-20835 | unknown | — | — | 7y ago | A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction… | |||
| CVE-2018-7577 | unknown | — | — | 7y ago | Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory. | |||
| CVE-2018-10055 | unknown | — | — | 7y ago | Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted confi… | |||
| CVE-2018-7575 | unknown | — | — | 7y ago | Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent. | |||
| CVE-2018-8825 | unknown | — | — | 7y ago | Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). | |||
| CVE-2018-7576 | unknown | — | — | 7y ago | Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent. | |||
| CVE-2018-1328 | unknown | — | — | 7y ago | Cross-site Scripting in Apache Zeppelin | |||
| CVE-2018-1317 | unknown | — | — | 7y ago | Improper Authentication in Apache Zeppelin | |||
| CVE-2018-12680 | unknown | — | — | 7y ago | The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoA… | |||
| CVE-2018-12679 | unknown | — | — | 7y ago | The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP… | |||
| CVE-2018-12545 | unknown | — | — | 7y ago | Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server | |||
| CVE-2018-12022 | unknown | — | — | 7y ago | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db j… | |||
| CVE-2018-11767 | unknown | — | — | 7y ago | Improper Privilege Management in org.apache.hadoop:hadoop-main | |||
| CVE-2018-20801 | unknown | — | — | 7y ago | Regular Expression Denial of Service in highcharts | |||
| CVE-2018-1324 | unknown | — | — | 7y ago | Apache Commons Compress vulnerable to denial of service due to infinite loop | |||
| CVE-2018-1334 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark | |||
| CVE-2018-8024 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL | |||
| CVE-2018-6517 | unknown | — | — | 7y ago | Improper Certificate Validation in chloride | |||
| CVE-2018-11793 | unknown | — | — | 7y ago | Stack Overflow in Apache Mesos | |||
| CVE-2018-20244 | unknown | — | — | 7y ago | In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. | |||
| CVE-2018-20164 | unknown | — | — | 7y ago | An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setti… | |||
| CVE-2018-16485 | unknown | — | — | 7y ago | m-server Vulnerable to Directory Traversal | |||
| CVE-2018-1296 | unknown | — | — | 7y ago | Exposure of Sensitive Information to an Unauthorized Actor in Hadoop | |||
| CVE-2018-20242 | unknown | — | — | 7y ago | Cross-site Scripting in jspwiki-war | |||
| CVE-2018-16202 | unknown | — | — | 7y ago | Path Traversal in cordova-plugin-ionic-webview | |||
| CVE-2018-16493 | unknown | — | — | 7y ago | Path Traversal in simplehttpserver | |||
| CVE-2018-16491 | unknown | — | — | 7y ago | A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | |||
| CVE-2018-16490 | unknown | — | — | 7y ago | Prototype Pollution in mpath | |||
| CVE-2018-16489 | unknown | — | — | 7y ago | Prototype Pollution in just-extend | |||
| CVE-2018-16486 | unknown | — | — | 7y ago | Prototype Pollution in defaults-deep | |||
| CVE-2018-16484 | unknown | — | — | 7y ago | Cross-Site Scripting in m-server | |||
| CVE-2018-16483 | unknown | — | — | 7y ago | Authentication Bypass by Spoofing in express-cart | |||
| CVE-2018-16482 | unknown | — | — | 7y ago | mcstatic directory traversal vulnerability | |||
| CVE-2018-16481 | unknown | — | — | 7y ago | Cross-Site Scripting in html-pages | |||
| CVE-2018-16480 | unknown | — | — | 7y ago | Tnantoka/public XSS Vulnerability | |||
| CVE-2018-16479 | unknown | — | — | 7y ago | Path Traversal in http-live-simulator | |||
| CVE-2018-16492 | unknown | — | — | 7y ago | A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype. | |||
| CVE-2018-11760 | unknown | — | — | 7y ago | When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2.2.… | |||
| CVE-2018-16487 | unknown | — | — | 7y ago | A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype. | |||
| CVE-2018-20245 | unknown | — | — | 8y ago | The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checki… | |||
| CVE-2018-1320 | unknown | — | — | 8y ago | Improper Input Validation in Apache Thrift |