The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2018-25060 | A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The patch is identified as dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability. | -- | Dec 30, 2022 |
CVE-2018-25059 | A vulnerability was found in pastebinit up to 0.2.2 and classified as problematic. Affected by this issue is the function pasteHandler of the file server.go. The manipulation of the argument r.URL.Path leads to path traversal. Upgrading to version 0.2.3 is able to address this issue. The name of the patch is 1af2facb6d95976c532b7f8f82747d454a092272. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217040. | -- | Dec 30, 2022 |
CVE-2018-25058 | A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x. This affects an unknown part of the file js/twitterFetcher.js of the component Link Target Handler. The manipulation leads to use of web link to untrusted target with window.opener access. It is possible to initiate the attack remotely. Upgrading to version 18.0.0 is able to address this issue. The name of the patch is 7d281c6fb5acbc29a2cad295262c1f0c19ca56f3. It is recommended to upgrade the affected component. The identifier VDB-217017 was assigned to this vulnerability. | -- | Dec 29, 2022 |
CVE-2018-25057 | A vulnerability was found in simple_php_link_shortener. It has been classified as critical. Affected is an unknown function of the file index.php. The manipulation of the argument $link[id] leads to sql injection. The name of the patch is b26ac6480761635ed94ccb0222ba6b732de6e53f. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216996. | -- | Dec 29, 2022 |
CVE-2018-25056 | A vulnerability, which was classified as problematic, was found in yolapi. Affected is the function render_description of the file yolapi/pypi/metadata.py. The manipulation of the argument text leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is a0fe129055a99f429133a5c40cb13b44611ff796. It is recommended to apply a patch to fix this issue. VDB-216966 is the identifier assigned to this vulnerability. | -- | Dec 28, 2022 |
CVE-2018-25055 | A vulnerability was found in FarCry Solr Pro Plugin up to 1.5.x. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file packages/forms/solrProSearch.cfc of the component Search Handler. The manipulation of the argument suggestion leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.6.0 is able to address this issue. The name of the patch is b8f3d61511c9b02b781ec442bfb803cbff8e08d5. It is recommended to upgrade the affected component. The identifier VDB-216961 was assigned to this vulnerability. | -- | Dec 28, 2022 |
CVE-2018-25054 | A vulnerability was found in shred cilla. It has been classified as problematic. Affected is an unknown function of the file cilla-xample/src/main/webapp/WEB-INF/jsp/view/search.jsp of the component Search Handler. The manipulation of the argument details leads to cross site scripting. It is possible to launch the attack remotely. The name of the patch is d345e6bc7798bd717a583ec7f545ca387819d5c7. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216960. | -- | Dec 28, 2022 |
CVE-2018-25053 | A vulnerability was found in moappi Json2html up to 1.1.x and classified as problematic. This issue affects some unknown processing of the file json2html.js. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.2.0 is able to address this issue. The name of the patch is 2d3d24d971b19a8ed1fb823596300b9835d55801. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216959. | -- | Dec 28, 2022 |
CVE-2018-25052 | A vulnerability has been found in Catalyst-Plugin-Session up to 0.40 and classified as problematic. This vulnerability affects the function _load_sessionid of the file lib/Catalyst/Plugin/Session.pm of the component Session ID Handler. The manipulation of the argument sid leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.41 is able to address this issue. The name of the patch is 88d1b599e1163761c9bd53bec53ba078f13e09d4. It is recommended to upgrade the affected component. VDB-216958 is the identifier assigned to this vulnerability. | -- | Dec 28, 2022 |
CVE-2018-25051 | A vulnerability, which was classified as problematic, was found in JmPotato Pomash. This affects an unknown part of the file Pomash/theme/clean/templates/editor.html. The manipulation of the argument article.title/content.title/article.tag leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is be1914ef0a6808e00f51618b2de92496a3604415. It is recommended to apply a patch to fix this issue. The identifier VDB-216957 was assigned to this vulnerability. | -- | Dec 28, 2022 |
CVE-2018-25050 | A vulnerability, which was classified as problematic, has been found in Harvest Chosen up to 1.8.6. Affected by this issue is the function AbstractChosen of the file coffee/lib/abstract-chosen.coffee. The manipulation of the argument group_label leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.7 is able to address this issue. The name of the patch is 77fd031d541e77510268d1041ed37798fdd1017e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216956. | -- | Dec 28, 2022 |
CVE-2018-25049 | A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is 0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56. It is recommended to apply a patch to fix this issue. VDB-216854 is the identifier assigned to this vulnerability. | -- | Dec 27, 2022 |
CVE-2018-25048 | The CODESYS runtime system in multiple versions allows an remote low privileged attacker to use a path traversal vulnerability to access and modify all system files as well as DoS the device. | -- | Mar 23, 2023 |
CVE-2018-25047 | In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user. | -- | Sep 16, 2022 |
CVE-2018-25046 | Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | LOW | Dec 28, 2022 |
CVE-2018-25045 | Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping. | -- | Jul 23, 2022 |
CVE-2018-25044 | A vulnerability, which was classified as critical, has been found in uTorrent. This issue affects some unknown processing of the component Guest Account. The manipulation leads to privilege escalation. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | MEDIUM | Jun 17, 2022 |
CVE-2018-25043 | A vulnerability classified as critical was found in uTorrent. This vulnerability affects unknown code of the component PRNG. The manipulation leads to weak authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | MEDIUM | Jun 17, 2022 |
CVE-2018-25042 | A vulnerability classified as critical has been found in uTorrent. This affects an unknown part. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. | MEDIUM | Jun 17, 2022 |
CVE-2018-25041 | A vulnerability was found in uTorrent. It has been rated as critical. Affected by this issue is some unknown functionality of the component JSON RPC Server. The manipulation leads to privilege escalation. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | MEDIUM | Jun 17, 2022 |
CVE-2018-25040 | A vulnerability was found in uTorrent Web. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component HTTP RPC Server. The manipulation leads to privilege escalation. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | MEDIUM | Jun 17, 2022 |
CVE-2018-25039 | A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been declared as problematic. This vulnerability affects unknown code of the file /goform/RgUrlBlock.asp. The manipulation of the argument BasicParentalNewKeyword with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | LOW | Jun 12, 2022 |
CVE-2018-25038 | A vulnerability was found in Thomson TCW710 ST5D.10.05. It has been classified as problematic. This affects an unknown part of the file /goform/RgDhcp. The manipulation of the argument PppUserName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | LOW | Jun 12, 2022 |
CVE-2018-25037 | A vulnerability was found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this issue is some unknown functionality of the file /goform/RgDdns. The manipulation of the argument DdnsHostName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | LOW | Jun 12, 2022 |
CVE-2018-25036 | A vulnerability has been found in Thomson TCW710 ST5D.10.05 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /goform/RgTime. The manipulation of the argument TimeServer1/TimeServer2/TimeServer3 with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | LOW | Jun 12, 2022 |
CVE-2018-25035 | A vulnerability, which was classified as problematic, was found in Thomson TCW710 ST5D.10.05. Affected is an unknown function of the file /goform/RGFirewallEL. The manipulation of the argument EmailAddress/SmtpServerName with the input ><script>alert(1)</script> as part of POST Request leads to cross site scripting (Persistent). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | LOW | Jun 12, 2022 |
CVE-2018-25034 | A vulnerability, which was classified as problematic, has been found in Thomson TCW710 ST5D.10.05. This issue affects some unknown processing of the file /goform/wlanPrimaryNetwork. The manipulation of the argument ServiceSetIdentifier with the input ><script>alert(1)</script> as part of POST Request leads to basic cross site scripting (Persistent). The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-126695. | LOW | Jun 12, 2022 |
CVE-2018-25033 | ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a. | MEDIUM | May 8, 2022 |
CVE-2018-25032 | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | MEDIUM | Mar 26, 2022 |
CVE-2018-25031 | Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. | MEDIUM | Mar 11, 2022 |
CVE-2018-25030 | A vulnerability classified as problematic has been found in Mirmay Secure Private Browser and File Manager up to 2.5. Affected is the Auto Lock. A race condition leads to a local authentication bypass. The exploit has been disclosed to the public and may be used. | LOW | Apr 4, 2022 |
CVE-2018-25029 | The Z-Wave specification requires that S2 security can be downgraded to S0 or other less secure protocols, allowing an attacker within radio range during pairing to downgrade and then exploit a different vulnerability (CVE-2013-20003) to intercept and spoof traffic. | MEDIUM | Feb 9, 2022 |
CVE-2018-25028 | An issue was discovered in the libpulse-binding crate before 1.2.1 for Rust. get_context can cause a use-after-free. | MEDIUM | Dec 27, 2021 |
CVE-2018-25027 | An issue was discovered in the libpulse-binding crate before 1.2.1 for Rust. get_format_info can cause a use-after-free. | MEDIUM | Dec 27, 2021 |
CVE-2018-25026 | An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can add the Send marker trait to an object that cannot be sent between threads safely, leading to memory corruption. | HIGH | Dec 27, 2021 |
CVE-2018-25025 | An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly extend the lifetime of a string, leading to memory corruption. | HIGH | Dec 27, 2021 |
CVE-2018-25024 | An issue was discovered in the actix-web crate before 0.7.15 for Rust. It can unsoundly coerce an immutable reference into a mutable reference, leading to memory corruption. | HIGH | Dec 27, 2021 |
CVE-2018-25023 | An issue was discovered in the smallvec crate before 0.6.13 for Rust. It can create an uninitialized value of any type, including a reference type. | MEDIUM | Dec 27, 2021 |
CVE-2018-25022 | The Onion module in toxcore before 0.2.2 doesn\'t restrict which packets can be onion-routed, which allows a remote attacker to discover a target user\'s IP address (when knowing only their Tox Id) by positioning themselves close to target\'s Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target\'s DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node. | MEDIUM | Dec 16, 2021 |
CVE-2018-25021 | The TCP Server module in toxcore before 0.2.8 doesn\'t free the TCP priority queue under certain conditions, which allows a remote attacker to exhaust the system\'s memory, causing a denial of service (DoS). | MEDIUM | Dec 16, 2021 |
CVE-2018-25020 | The BPF subsystem in the Linux kernel before 4.17 mishandles situations with a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions, leading to an overflow. This affects kernel/bpf/core.c and net/core/filter.c. | MEDIUM | Dec 8, 2021 |
CVE-2018-25019 | The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server | MEDIUM | Nov 3, 2021 |
CVE-2018-25018 | UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write during a memcpy in QuickOpen::ReadRaw when called from QuickOpen::ReadNext. | MEDIUM | Jul 1, 2021 |
CVE-2018-25017 | RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in TableLookUp::setTable. | HIGH | Jul 1, 2021 |
CVE-2018-25016 | Greenbone Security Assistant (GSA) before 7.0.3 and Greenbone OS (GOS) before 5.0.0 allow Host Header Injection. | HIGH | Jun 25, 2021 |
CVE-2018-25015 | An issue was discovered in the Linux kernel before 4.14.16. There is a use-after-free in net/sctp/socket.c for a held lock after a peel off, aka CID-a0ff660058b8. | MEDIUM | Jun 7, 2021 |
CVE-2018-25014 | A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol(). | HIGH | May 21, 2021 |
CVE-2018-25013 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes(). | MEDIUM | May 21, 2021 |
CVE-2018-25012 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24(). | MEDIUM | May 21, 2021 |
CVE-2018-25011 | A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16(). | HIGH | May 21, 2021 |