The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-10958 | In types.cpp in Exiv2 0.26, a large size value may lead to a SIGABRT during an attempt at memory allocation for an Exiv2::Internal::PngChunk::zlibUncompress call. | MEDIUM | May 9, 2018 |
| CVE-2018-10957 | CSRF exists on D-Link DIR-868L devices, leading to (for example) a change to the Admin password. hedwig.cgi and pigwidgeon.cgi are two of the affected components. | MEDIUM | May 9, 2018 |
| CVE-2018-10956 | IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. | MEDIUM | Jun 25, 2018 |
| CVE-2018-10955 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222548. | MEDIUM | May 9, 2018 |
| CVE-2018-10954 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222550. | MEDIUM | May 9, 2018 |
| CVE-2018-10953 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x0022204C. | MEDIUM | May 9, 2018 |
| CVE-2018-10952 | In 2345 Security Guard 3.7, the driver file (2345BdPcSafe.sys, X64 version) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCTL 0x00222088. | MEDIUM | May 9, 2018 |
| CVE-2018-10951 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows zimbraSSLPrivateKey read access via a GetServer, GetAllServers, or GetAllActiveServers call in the Admin SOAP API. | MEDIUM | May 9, 2018 |
| CVE-2018-10950 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 before 8.6.0.Patch10 allows Information Exposure through Verbose Error Messages containing a stack dump, tracing data, or full user-context dump. | MEDIUM | May 9, 2018 |
| CVE-2018-10949 | mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7 before 8.7.11.Patch3; and 8.6 allows Account Enumeration by leveraging a Discrepancy between the HTTP 404 - account is not active and HTTP 401 - must authenticate errors. | MEDIUM | May 9, 2018 |
| CVE-2018-10948 | Synacor Zimbra Admin UI in Zimbra Collaboration Suite before 8.8.0 beta 2 has Persistent XSS via mail addrs. | LOW | May 31, 2019 |
| CVE-2018-10947 | An issue was discovered in versions earlier than 1.3.2 for Polycom RealPresence Debut where the admin cookie is reset only after a Debut is rebooted. | LOW | Jun 17, 2019 |
| CVE-2018-10946 | An issue was discovered in versions earlier than 1.3.0-66872 for Polycom RealPresence Debut that allows attackers to arbitrarily read the admin user\'s password via the admin web UI. | LOW | Jun 17, 2019 |
| CVE-2018-10945 | The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function. | MEDIUM | Jun 19, 2018 |
| CVE-2018-10944 | The request_dividend function of a smart contract implementation for ROC (aka Rasputin Online Coin), an Ethereum ERC20 token, allows attackers to steal all of the contract's Ether. | MEDIUM | May 13, 2018 |
| CVE-2018-10943 | An issue was discovered on Barco ClickShare CSE-200 and CS-100 Base Units with firmware before 1.6.0.3. Sending an arbitrary unexpected string to TCP port 7100 respecting a certain frequency timing disconnects all clients and results in a crash of the Unit. | HIGH | Jul 10, 2018 |
| CVE-2018-10942 | modules/attributewizardpro/file_upload.php in the Attribute Wizard addon 1.6.9 for PrestaShop 1.4.0.1 through 1.6.1.18 allows remote attackers to execute arbitrary code by uploading a .phtml file. | HIGH | May 9, 2018 |
| CVE-2018-10940 | The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. | MEDIUM | May 9, 2018 |
| CVE-2018-10939 | Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before 8.8.8.Patch4 and 8.7 before 8.7.11.Patch4 has Persistent XSS via a contact group. | MEDIUM | May 30, 2018 |
| CVE-2018-10938 | A flaw was found in the Linux kernel present since v4.0-rc1 and through v4.13-rc4. A crafted network packet sent remotely by an attacker may force the kernel to enter an infinite loop in the cipso_v4_optptr() function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A certain non-default configuration of LSM (Linux Security Module) and NetLabel should be set up on a system before an attacker could leverage this flaw. | HIGH | Aug 28, 2018 |
| CVE-2018-10937 | A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim. | LOW | Sep 12, 2018 |
| CVE-2018-10936 | A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA. | MEDIUM | Aug 30, 2018 |
| CVE-2018-10935 | A flaw was found in the 389 Directory Server that allows users to cause a crash in the LDAP server using ldapsearch with server side sort. | MEDIUM | Oct 9, 2019 |
| CVE-2018-10934 | A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users. | LOW | Mar 29, 2019 |
| CVE-2018-10933 | A vulnerability was found in libssh\'s server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. | Medium | Oct 18, 2018 |
| CVE-2018-10932 | lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal. | LOW | Aug 21, 2018 |
| CVE-2018-10931 | It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. | HIGH | Aug 9, 2018 |
| CVE-2018-10930 | A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10929 | A flaw was found in RPC request using gfs2_create_req in glusterfs server. An authenticated attacker could use this flaw to create arbitrary files and execute arbitrary code on glusterfs server nodes. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10928 | A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10927 | A flaw was found in RPC request using gfs3_lookup_req in glusterfs server. An authenticated attacker could use this flaw to leak information and execute remote denial of service by crashing gluster brick process. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10926 | A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10925 | It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with INSERT ... ON CONFLICT DO UPDATE. An attacker with CREATE TABLE privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain INSERT and limited UPDATE privileges to a particular table, they could exploit this to update other columns in the same table. | MEDIUM | Aug 9, 2018 |
| CVE-2018-10924 | It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine. | MEDIUM | Sep 4, 2018 |
| CVE-2018-10923 | It was found that the mknod call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10922 | An input validation flaw exists in ttembed. With a crafted input file, an attacker may be able to trigger a denial of service condition due to ttembed trusting attacker controlled values. | MEDIUM | Aug 2, 2018 |
| CVE-2018-10921 | Certain input files may trigger an integer overflow in ttembed input file processing. This overflow could potentially lead to corruption of the input file due to a lack of checking return codes of fgetc/fputc function calls. | MEDIUM | Aug 2, 2018 |
| CVE-2018-10920 | Improper input validation bug in DNS resolver component of Knot Resolver before 2.4.1 allows remote attacker to poison cache. | MEDIUM | Aug 2, 2018 |
| CVE-2018-10919 | The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable. | MEDIUM | Aug 23, 2018 |
| CVE-2018-10918 | A null pointer dereference flaw was found in the way samba checked database outputs from the LDB database layer. An authenticated attacker could use this flaw to crash a samba server in an Active Directory Domain Controller configuration. Samba versions before 4.7.9 and 4.8.4 are vulnerable. | MEDIUM | Aug 23, 2018 |
| CVE-2018-10917 | pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories. | MEDIUM | Aug 15, 2018 |
| CVE-2018-10916 | It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim\'s system. | HIGH | Aug 7, 2018 |
| CVE-2018-10915 | A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with host or hostaddr connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected. | MEDIUM | Aug 9, 2018 |
| CVE-2018-10914 | It was found that an attacker could issue a xattr request via glusterfs FUSE to cause gluster brick process to crash which will result in a remote denial of service. If gluster multiplexing is enabled this will result in a crash of multiple bricks and gluster volumes. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10913 | An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10912 | keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. | MEDIUM | Jul 23, 2018 |
| CVE-2018-10911 | A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value. | MEDIUM | Sep 5, 2018 |
| CVE-2018-10910 | A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable. | LOW | Jan 29, 2019 |
| CVE-2018-10909 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2018-10908 | It was found that vdsm before version 4.20.37 invokes qemu-img on untrusted inputs without limiting resources. By uploading a specially crafted image, an attacker could cause the qemu-img process to consume unbounded amounts of memory of CPU time, causing a denial of service condition that could potentially impact other users of the host. | HIGH | Aug 9, 2018 |
