CVEs from 2018
Total
2,841
critical
critical 238
high
high 331
medium
medium 263
low
low 39
% Critical
8.4%
% with KEV
3.1%
% with exploit
9.1%
Top vendors
- intel 1,561
- schneider-electric 43
- siemens 42
- rockwellautomation 16
- echelon 15
- redhat 12
- oracle 9
- arm 9
Top products
- core_i7 379
- core_i5 375
- core_i3 242
- xeon_e5 82
- xeon_e7 62
- xeon_e3 58
- xeon_gold 33
- atom_z 30
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11798 | unknown | — | — | 8y ago | Apache Thrift Node.js static web server sandbox escape | |||
| CVE-2018-1000809 | unknown | — | — | 8y ago | privacyIDEA version 2.23.1 and earlier contains a Improper Input Validation vulnerability in token validation api that can result in Denial-of-Service. This attack appear to be exploitable via http r… | |||
| CVE-2018-11787 | unknown | — | — | 8y ago | Improper Authentication in Apache Karaf | |||
| CVE-2018-11788 | unknown | — | — | 8y ago | XML External Entity Reference in Apache Karaf | |||
| CVE-2018-20433 | unknown | — | — | 8y ago | XML External Entity Reference in mchange:c3p0 | |||
| CVE-2018-14719 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deseriali… | |||
| CVE-2018-14720 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | |||
| CVE-2018-14721 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic de… | |||
| CVE-2018-19362 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization. | |||
| CVE-2018-19361 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization. | |||
| CVE-2018-19360 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization. | |||
| CVE-2018-14718 | unknown | — | — | 8y ago | FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | |||
| CVE-2018-6341 | unknown | — | — | 8y ago | Cross-Site Scripting in react-dom | |||
| CVE-2018-7753 | unknown | — | — | 8y ago | An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that have URI values weren't properly sanitized if the values contained character entities. Using character entities, it was possible … | |||
| CVE-2018-18893 | unknown | — | — | 8y ago | Jinjava calls getClass | |||
| CVE-2018-20594 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.hswebframework.web:hsweb-commons | |||
| CVE-2018-20595 | unknown | — | — | 8y ago | Cross-Site Request Forgery (CSRF) in hswebframework.web:hsweb-commons | |||
| CVE-2018-6342 | unknown | — | — | 8y ago | react-dev-utils on Windows vulnerable to Remote Code Execution | |||
| CVE-2018-14732 | unknown | — | — | 8y ago | Missing Origin Validation in webpack-dev-server | |||
| CVE-2018-20325 | unknown | — | — | 8y ago | There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution. | |||
| CVE-2018-17197 | unknown | — | — | 8y ago | Apache Tika Denial of Service due to Infinite Loop in Tika's SQLite3Parser | |||
| CVE-2018-25001 | unknown | — | — | 8y ago | Possible use-after-free with `proplist::Iterator` | |||
| CVE-2018-8009 | unknown | — | — | 8y ago | Path Traversal in Hadoop | |||
| CVE-2018-11766 | unknown | — | — | 8y ago | Arbitrary Command Execution in Hadoop | |||
| CVE-2018-11786 | unknown | — | — | 8y ago | Improper Privilege Management in Apache Karaf | |||
| CVE-2018-14637 | unknown | — | — | 8y ago | Improper Authentication in Keycloak | |||
| CVE-2018-1000844 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in Square Retrofit | |||
| CVE-2018-1000850 | unknown | — | — | 8y ago | Directory Traversal vulnerability in Square Retrofit | |||
| CVE-2018-1000873 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects com.fasterxml.jackson.datatype:jackson-datatype-jsr353 | |||
| CVE-2018-1000872 | unknown | — | — | 8y ago | OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can… | |||
| CVE-2018-1000854 | unknown | — | — | 8y ago | Remote Code Execution in esigate-core | |||
| CVE-2018-1000836 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in bw-calendar-engine | |||
| CVE-2018-17195 | unknown | — | — | 8y ago | Cleartext Transmission of Sensitive Information in Apache nifi | |||
| CVE-2018-17193 | unknown | — | — | 8y ago | Cross site scripting in org.apache.nifi:nifi | |||
| CVE-2018-17194 | unknown | — | — | 8y ago | Apache NiFi Improper Input Validation vulnerability | |||
| CVE-2018-17192 | unknown | — | — | 8y ago | Improper Restriction of Rendered UI Layers or Frames in Apache nifif | |||
| CVE-2018-1000823 | unknown | — | — | 8y ago | exist-db:exist-core XML External Entity (XXE) vulnerability | |||
| CVE-2018-1000822 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in codelibs fess | |||
| CVE-2018-1000820 | unknown | — | — | 8y ago | XML External Entity (XXE) vulnerability in neo4j.procedure:apoc | |||
| CVE-2018-1000814 | unknown | — | — | 8y ago | aio-libs aiohttp-session version 2.6.0 and earlier contains a Other/Unknown vulnerability in EncryptedCookieStorage and NaClCookieStorage that can result in Non-expiring sessions / Infinite lifespan.… | |||
| CVE-2018-1000843 | unknown | — | — | 8y ago | Luigi version prior to version 2.8.0; after commit 53b52e12745075a8acc016d33945d9d6a7a6aaeb; after GitHub PR spotify/luigi/pull/1870 contains a Cross ite Request Forgery (CSRF) vulnerability in API e… | |||
| CVE-2018-15801 | unknown | — | — | 8y ago | Spring Security vulnerable to Authorization Bypass | |||
| CVE-2018-11799 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.oozie:oozie-core | |||
| CVE-2018-20999 | unknown | — | — | 8y ago | Flaw in streaming state reset() functions can create incorrect results. | |||
| CVE-2018-20133 | unknown | — | — | 8y ago | ymlref allows code injection. | |||
| CVE-2018-20094 | unknown | — | — | 8y ago | XXL-CONF Path Traversal vulnerability | |||
| CVE-2018-20000 | unknown | — | — | 8y ago | Improper Restriction of XML External Entity Reference in bedework:bw-webdav | |||
| CVE-2018-20059 | unknown | — | — | 8y ago | Improper Restriction of XML External Entity Reference in pippo-core | |||
| CVE-2018-19907 | unknown | — | — | 8y ago | OS Command Injection in craftercms:crafter-studio | |||
| CVE-2018-9207 | unknown | — | — | 8y ago | Unrestricted Upload of File with Dangerous Type in jquery-file-upload | |||
| CVE-2018-16516 | unknown | — | — | 8y ago | helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. | |||
| CVE-2018-20998 | unknown | — | — | 8y ago | Enum repr causing potential memory corruption | |||
| CVE-2018-20170 | unknown | — | — | 8y ago | ** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: th… | |||
| CVE-2018-20996 | unknown | — | — | 8y ago | An issue was discovered in the crossbeam crate before 0.4.1 for Rust. There is a double free because of destructor mishandling. | |||
| CVE-2018-16478 | unknown | — | — | 8y ago | Path Traversal in simplehttpserver | |||
| CVE-2018-20995 | unknown | — | — | 8y ago | Bug in SliceDeque::move_head_unchecked allows read of corrupted memory | |||
| CVE-2018-19443 | unknown | — | — | 8y ago | The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but … | |||
| CVE-2018-15795 | unknown | — | — | 8y ago | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Pivotal CredHub Service Broker | |||
| CVE-2018-16476 | unknown | — | — | 8y ago | A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to inform… | |||
| CVE-2018-16477 | unknown | — | — | 8y ago | A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the `content-disposition` and `content-type` parameters which can be used in w… | |||
| CVE-2018-21000 | unknown | — | — | 8y ago | An issue was discovered in the safe-transmute crate before 0.10.1 for Rust. A constructor's arguments are in the wrong order, causing heap memory corruption. | |||
| CVE-2018-11777 | unknown | — | — | 8y ago | Improper Authentication in hive:hive-exec | |||
| CVE-2018-1314 | unknown | — | — | 8y ago | Moderate severity vulnerability that affects org.apache.hive:hive-jdbc | |||
| CVE-2018-1282 | unknown | — | — | 8y ago | SQL Injection in hive-jdbc | |||
| CVE-2018-1284 | unknown | — | — | 8y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache hive | |||
| CVE-2018-1315 | unknown | — | — | 8y ago | Incorrect Permission Assignment for Critical Resource in Apache hive | |||
| CVE-2018-18920 | unknown | — | — | 8y ago | Py-EVM is vulnerable to arbitrary bytecode injection | |||
| CVE-2018-19183 | unknown | — | — | 8y ago | Denial of Service in ethereumjs-vm | |||
| CVE-2018-17187 | unknown | — | — | 8y ago | Improper Certificate Validation in proton-j | |||
| CVE-2018-19057 | unknown | — | — | 8y ago | SimpleMDE XSS Vulnerability | |||
| CVE-2018-17574 | unknown | — | — | 8y ago | Cross-site Scripting in yapi-vendor | |||
| CVE-2018-17960 | unknown | — | — | 8y ago | Ckeditor XSS Vulnerability | |||
| CVE-2018-19289 | unknown | — | — | 8y ago | Valine HTML Injection | |||
| CVE-2018-17190 | unknown | — | — | 8y ago | Remote Code Execution in spark-core | |||
| CVE-2018-1337 | unknown | — | — | 8y ago | In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connec… | |||
| CVE-2018-18853 | unknown | — | — | 8y ago | Uncontrolled Resource Consumption in spray-json when parsing decimal digit fields | |||
| CVE-2018-18854 | unknown | — | — | 8y ago | Uncontrolled Resource Consumption in spray-json | |||
| CVE-2018-19056 | unknown | — | — | 8y ago | Pandao editor.md vulnerable to DOM XSS | |||
| CVE-2018-1000855 | unknown | — | — | 8y ago | Cross Site Scripting (XSS) vulnerability in easymon | |||
| CVE-2018-16472 | unknown | — | — | 8y ago | A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype … | |||
| CVE-2018-17184 | unknown | — | — | 8y ago | Improper Control of Interaction Frequency in Apache syncope-core | |||
| CVE-2018-17186 | unknown | — | — | 8y ago | Improper Restriction of XML External Entity Reference in org.apache.syncope:syncope-core | |||
| CVE-2018-6874 | unknown | — | — | 8y ago | Cross-Site Request Forgery (CSRF) in Auth0 | |||
| CVE-2018-16473 | unknown | — | — | 8y ago | Path Traversal in takeapeek | |||
| CVE-2018-16474 | unknown | — | — | 8y ago | Stored Cross-Site Scripting in tianma-static | |||
| CVE-2018-16475 | unknown | — | — | 8y ago | Path Traversal in knightjs | |||
| CVE-2018-16471 | unknown | — | — | 8y ago | There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the … | |||
| CVE-2018-16470 | unknown | — | — | 8y ago | There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use … | |||
| CVE-2018-16461 | unknown | — | — | 8y ago | Command Injection in libnmap | |||
| CVE-2018-16462 | unknown | — | — | 8y ago | Command Injection in apex-publish-static-files | |||
| CVE-2018-18830 | unknown | — | — | 8y ago | Unrestricted Upload of File with Dangerous Type in mingsoft:ms-mcms | |||
| CVE-2018-18831 | unknown | — | — | 8y ago | Path Traversal in minsoft:ms-mcms | |||
| CVE-2018-16469 | unknown | — | — | 8y ago | Prototype Pollution in merge | |||
| CVE-2018-8006 | unknown | — | — | 8y ago | Apache ActiveMQ web console vulnerable to Cross-site Scripting | |||
| CVE-2018-14731 | unknown | — | — | 8y ago | Missing Origin Validation in parcel-bundler | |||
| CVE-2018-16468 | unknown | — | — | 8y ago | In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. | |||
| CVE-2018-14572 | unknown | — | — | 8y ago | In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.syste… | |||
| CVE-2018-1000842 | unknown | — | — | 8y ago | Fat Free CRM vulnerable to Cross-site Scripting | |||
| CVE-2018-18628 | unknown | — | — | 8y ago | Deserialization of Untrusted Data in Pippo | |||
| CVE-2018-18531 | unknown | — | — | 8y ago | Use of Insufficiently Random Values in penggle:kaptcha |