CVEs from 2018
Total
2,884
critical
critical 238
high
high 329
medium
medium 259
low
low 39
% Critical
8.3%
% with KEV
3.1%
% with exploit
9.0%
Top vendors
- intel 1,561
- schneider-electric 43
- siemens 42
- rockwellautomation 16
- echelon 15
- redhat 12
- oracle 9
- mitel 8
Top products
- core_i7 379
- core_i5 375
- core_i3 242
- xeon_e5 82
- xeon_e7 62
- xeon_e3 58
- xeon_gold 33
- atom_z 30
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-3750 | medium | — | 5.5 | 8y ago | RHSA-2021:0549: nodejs:12 security update (Moderate) | |||
| CVE-2018-14574 | medium | — | 5.5 | 8y ago | django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect. | |||
| CVE-2018-14404 | medium | — | 5.5 | 8y ago | RHSA-2020:1827: libxml2 security update (Moderate) | |||
| CVE-2018-6188 | medium | — | 5.5 | 8y ago | django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from th… | |||
| CVE-2018-16984 | medium | — | 5.5 | 8y ago | An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display a… | |||
| CVE-2018-1000559 | medium | — | 5.5 | 8y ago | qutebrowser version introduced in v0.11.0 (1179ee7a937fb31414d77d9970bac21095358449) contains a Cross Site Scripting (XSS) vulnerability in history command, qute://history page that can result in Via… | |||
| CVE-2018-14042 | medium | — | 5.5 | 8y ago | RHSA-2020:4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2018-1999024 | medium | — | 5.5 | 8y ago | MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. Th… | |||
| CVE-2018-3740 | medium | — | 5.5 | 8y ago | A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element. | |||
| CVE-2018-25384 | medium | 5.4 | 5.4 | 6d ago | Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can pos… | |||
| CVE-2018-25334 | medium | 5.4 | 5.4 | 18d ago | Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but… | |||
| CVE-2018-7795 | medium | 5.4 | 5.4 | 8y ago | A Cross Protocol Injection vulnerability exists in Schneider Electric's PowerLogic (PM5560 prior to FW version 2.5.4) product. The vulnerability makes the product susceptible to cross site scripting … | |||
| CVE-2018-25435 | medium | 5.3 | 5.3 | 3d ago | ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate cu… | |||
| CVE-2018-25397 | medium | 5.3 | 5.3 | 6d ago | PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated … | |||
| CVE-2018-25387 | medium | 5.3 | 5.3 | 6d ago | HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft… | |||
| CVE-2018-25370 | medium | 5.3 | 5.3 | 10d ago | Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious H… | |||
| CVE-2018-25336 | medium | 5.3 | 5.3 | 18d ago | jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML form… | |||
| CVE-2018-25327 | medium | 5.3 | 5.3 | 18d ago | Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTM… | |||
| CVE-2018-25298 | medium | 5.3 | 5.3 | 1mo ago | Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attacker… | |||
| CVE-2018-10626 | medium | 4.4 | 4.4 | 8y ago | Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired … | |||
| CVE-2018-25363 | medium | 4.3 | 4.3 | 10d ago | Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms t… | |||
| CVE-2018-25354 | medium | 4.3 | 4.3 | 12d ago | Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pag… | |||
| CVE-2018-25343 | medium | 4.3 | 4.3 | 12d ago | Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft H… | |||
| CVE-2018-25337 | medium | 4.3 | 4.3 | 18d ago | Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML fo… | |||
| CVE-2018-25321 | medium | 4.3 | 4.3 | 18d ago | TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attacker… | |||
| CVE-2018-25310 | medium | 4.3 | 4.3 | 1mo ago | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cros… | |||
| CVE-2018-6942 | low | — | 2.5 | — | An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file. | |||
| CVE-2018-12558 | low | — | 2.5 | — | The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that c… | |||
| CVE-2018-9055 | low | — | 2.5 | — | denial of service in jasper | |||
| CVE-2018-7452 | low | — | 2.5 | — | A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | |||
| CVE-2018-7174 | low | — | 2.5 | — | An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref allows an attacker to cause denial of service because loop detection exists only for tables, not streams. | |||
| CVE-2018-20482 | low | — | 2.5 | — | GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c)… | |||
| CVE-2018-7453 | low | — | 2.5 | — | Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file due to lack of loop checking, as demonstrated by pdftohtml. | |||
| CVE-2018-5388 | low | — | 2.5 | — | In stroke_socket.c in strongSwan before 5.6.3, a missing packet length check could allow a buffer underflow, which may lead to resource exhaustion and denial of service while reading from the socket. | |||
| CVE-2018-1071 | low | — | 2.5 | — | zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service. | |||
| CVE-2018-7173 | low | — | 2.5 | — | A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an attacker to cause denial of service via a specific file due to inappropriate decoding. | |||
| CVE-2018-20225 | low | — | 2.5 | — | arbitrary code execution in python-pip | |||
| CVE-2018-7454 | low | — | 2.5 | — | A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | |||
| CVE-2018-0732 | low | — | 2.5 | — | During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long pe… | |||
| CVE-2018-8956 | low | — | 2.5 | — | ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packet… | |||
| CVE-2018-18445 | low | — | 2.5 | — | In the Linux kernel 4.14.x, 4.15.x, 4.16.x, 4.17.x, and 4.18.x before 4.18.13, faulty computation of numeric bounds in the BPF verifier permits out-of-bounds memory accesses because adjust_scalar_min… | |||
| CVE-2018-9234 | low | — | 2.5 | — | GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with acce… | |||
| CVE-2018-0737 | low | — | 2.5 | — | The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key gen… | |||
| CVE-2018-7455 | low | — | 2.5 | — | An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in xpdf 4.00 allows attackers to launch denial of service via a specific pdf file, as demonstrated by pdftohtml. | |||
| CVE-2018-0502 | low | — | 2.5 | — | insufficient validation in zsh | |||
| CVE-2018-13259 | low | — | 2.5 | — | insufficient validation in zsh | |||
| CVE-2018-7175 | low | — | 2.5 | — | An issue was discovered in xpdf 4.00. A NULL pointer dereference in readCodestream allows an attacker to cause denial of service via a JPX image with zero components. | |||
| CVE-2018-14634 | unknown | — | 2.5 | 4mo ago | Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escala… | |||
| CVE-2018-9276 | unknown | — | 2.5 | 1y ago | Paessler PRTG Network Monitor contains an OS command injection vulnerability that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console. | |||
| CVE-2018-14933 | unknown | — | 2.5 | 2y ago | NUUO NVRmini devices contain an OS command injection vulnerability. This vulnerability allows remote command execution via shell metacharacters in the uploaddir parameter for a writeuploaddir command. | |||
| CVE-2018-12699 | low | — | 2.5 | 2y ago | RHSA-2024:9689: binutils security update (Low) | |||
| CVE-2018-0824 | unknown | — | 2.5 | 2y ago | Microsoft COM for Windows contains a deserialization of untrusted data vulnerability that allows for privilege escalation and remote code execution via a specially crafted file or script. | |||
| CVE-2018-5430 | unknown | — | 2.5 | 4y ago | TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files. | |||
| CVE-2018-2628 | unknown | — | 2.5 | 4y ago | Oracle WebLogic Server contains an unspecified vulnerability which can allow an unauthenticated attacker with T3 network access to compromise the server. | |||
| CVE-2018-13374 | unknown | — | 2.5 | 4y ago | Fortinet FortiOS and FortiADC contain an improper access control vulnerability that allows attackers to obtain the LDAP server login credentials configured in FortiGate by pointing a LDAP server conn… | |||
| CVE-2018-7445 | unknown | — | 2.5 | 4y ago | In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code e… | |||
| CVE-2018-6065 | unknown | — | 2.5 | 4y ago | Google Chromium V8 Engine contains an integer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect mult… | |||
| CVE-2018-15133 | unknown | — | 2.5 | 4y ago | Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the appl… | |||
| CVE-2018-8298 | unknown | — | 2.5 | 4y ago | The ChakraCore scripting engine contains a type confusion vulnerability which can allow for remote code execution. | |||
| CVE-2018-1000861 | unknown | — | 2.5 | 4y ago | A code execution vulnerability exists in the Stapler web framework used by Jenkins | |||
| CVE-2018-7841 | unknown | — | 2.5 | 4y ago | A SQL Injection vulnerability exists in U.motion Builder software which could cause unwanted code execution when an improper set of characters is entered. | |||
| CVE-2018-10562 | unknown | — | 2.5 | 4y ago | Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution. | |||
| CVE-2018-10561 | unknown | — | 2.5 | 4y ago | Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution. | |||
| CVE-2018-8440 | unknown | — | 2.5 | 4y ago | An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). | |||
| CVE-2018-11138 | unknown | — | 2.5 | 4y ago | The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution. | |||
| CVE-2018-6961 | unknown | — | 2.5 | 4y ago | VMware SD-WAN Edge by VeloCloud contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution. | |||
| CVE-2018-8120 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. | |||
| CVE-2018-15982 | unknown | — | 2.5 | 4y ago | Adobe Flash Player com.adobe.tvsdk.mediacore.metadata Use After Free Vulnerability | |||
| CVE-2018-20250 | unknown | — | 2.5 | 4y ago | WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution | |||
| CVE-2018-8174 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution" | |||
| CVE-2018-8453 | unknown | — | 2.5 | 4y ago | Microsoft Windows Win32k contains a vulnerability that allows an attacker to escalate privileges. | |||
| CVE-2018-13382 | unknown | — | 2.5 | 5y ago | An Improper Authorization vulnerability in Fortinet FortiOS and FortiProxy under SSL VPN web portal allows an unauthenticated attacker to modify the password. | |||
| CVE-2018-14847 | unknown | — | 2.5 | 5y ago | MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability i… | |||
| CVE-2018-20673 | low | — | 2.5 | 5y ago | RHSA-2021:4386: gcc security and bug fix update (Low) | |||
| CVE-2018-13379 | unknown | — | 2.5 | 5y ago | Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource request… | |||
| CVE-2018-20062 | unknown | — | 2.5 | 5y ago | ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter. | |||
| CVE-2018-0296 | unknown | — | 2.5 | 5y ago | Cisco Adaptive Security Appliance (ASA) contains an improper input validation vulnerability with HTTP URLs. Exploitation could allow an attacker to cause a denial-of-service (DoS) condition or inform… | |||
| CVE-2018-2380 | unknown | — | 2.5 | 5y ago | SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users. | |||
| CVE-2018-4878 | unknown | — | 2.5 | 5y ago | Adobe Flash Player contains a use-after-free vulnerability that could allow for code execution. | |||
| CVE-2018-15961 | unknown | — | 2.5 | 5y ago | Adobe ColdFusion contains an unrestricted file upload vulnerability that could allow for code execution. | |||
| CVE-2018-0171 | unknown | — | 2.5 | 5y ago | Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected device, cause a denial-of-service (DoS) condition, or p… | |||
| CVE-2018-10896 | low | — | 2.5 | 6y ago | RHSA-2020:3050: cloud-init security, bug fix, and enhancement update (Low) | |||
| CVE-2018-7263 | low | — | 2.5 | 6y ago | RHSA-2020:1631: GStreamer, libmad, and SDL security, bug fix, and enhancement update (Low) | |||
| CVE-2018-19841 | low | — | 2.5 | 6y ago | RHSA-2020:1581: wavpack security update (Low) | |||
| CVE-2018-19840 | low | — | 2.5 | 6y ago | RHSA-2020:1581: wavpack security update (Low) | |||
| CVE-2018-19519 | low | — | 2.5 | 6y ago | RHSA-2020:1604: tcpdump security update (Low) | |||
| CVE-2018-10910 | low | — | 2.5 | 6y ago | RHSA-2020:1912: bluez security update (Low) | |||
| CVE-2018-10392 | low | — | 2.5 | 7y ago | RHSA-2019:3703: libvorbis security update (Low) | |||
| CVE-2018-10393 | low | — | 2.5 | 7y ago | RHSA-2019:3703: libvorbis security update (Low) | |||
| CVE-2018-18751 | low | — | 2.5 | 7y ago | RHSA-2019:3643: gettext security update (Low) | |||
| CVE-2018-10932 | low | — | 2.5 | 7y ago | RHSA-2019:3673: lldpad security and bug fix update (Low) | |||
| CVE-2018-16838 | low | — | 2.5 | 7y ago | RHSA-2019:3651: sssd security, bug fix, and enhancement update (Low) | |||
| CVE-2018-6616 | low | — | 2.5 | 7y ago | RHBA-2019:3408: openjpeg2 bug fix and enhancement update (Low) | |||
| CVE-2018-20657 | low | — | 2.5 | 7y ago | RHSA-2019:3352: gdb security, bug fix, and enhancement update (Low) | |||
| CVE-2018-0735 | low | — | 2.5 | 7y ago | RHSA-2019:3700: openssl security, bug fix, and enhancement update (Low) | |||
| CVE-2018-5745 | low | — | 2.5 | 7y ago | RHSA-2019:3552: bind security and bug fix update (Low) | |||
| CVE-2018-0734 | low | — | 2.5 | 7y ago | RHSA-2019:3700: openssl security, bug fix, and enhancement update (Low) | |||
| CVE-2018-15811 | unknown | — | 2.5 | 7y ago | DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. | |||
| CVE-2018-18325 | unknown | — | 2.5 | 7y ago | DotNetNuke (DNN) contains an inadequate encryption strength vulnerability resulting from the use of a weak encryption algorithm to protect input parameters. This CVE ID resolves an incomplete patch f… | |||
| CVE-2018-11776 | unknown | — | 2.5 | 8y ago | Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defi… |