The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-19630 | cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the URI, as demonstrated by a cgi-bin/?[XSS] URI. | MEDIUM | Nov 28, 2018 |
| CVE-2018-19629 | A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection. | MEDIUM | Jul 19, 2019 |
| CVE-2018-19628 | In Wireshark 2.6.0 to 2.6.4, the ZigBee ZCL dissector could crash. This was addressed in epan/dissectors/packet-zbee-zcl-lighting.c by preventing a divide-by-zero error. | MEDIUM | Dec 1, 2018 |
| CVE-2018-19627 | In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by adjusting a buffer boundary. | MEDIUM | Dec 5, 2018 |
| CVE-2018-19626 | In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the DCOM dissector could crash. This was addressed in epan/dissectors/packet-dcom.c by adding \'\\0\' termination. | MEDIUM | Dec 1, 2018 |
| CVE-2018-19625 | In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in epan/tvbuff_composite.c by preventing a heap-based buffer over-read. | MEDIUM | Dec 1, 2018 |
| CVE-2018-19624 | In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the PVFS dissector could crash. This was addressed in epan/dissectors/packet-pvfs2.c by preventing a NULL pointer dereference. | MEDIUM | Dec 1, 2018 |
| CVE-2018-19623 | In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the LBMPDM dissector could crash. In addition, a remote attacker could write arbitrary data to any memory locations before the packet-scoped memory. This was addressed in epan/dissectors/packet-lbmpdm.c by disallowing certain negative values. | MEDIUM | Dec 1, 2018 |
| CVE-2018-19622 | In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the MMSE dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-mmse.c by preventing length overflows. | MEDIUM | Dec 1, 2018 |
| CVE-2018-19621 | server/index.php?s=/api/teamMember/save in ShowDoc 2.4.2 has a CSRF that can add members to a team. | MEDIUM | Nov 28, 2018 |
| CVE-2018-19620 | ShowDoc 2.4.1 allows remote attackers to edit other users\' notes by navigating with a modified page_id. | MEDIUM | Nov 28, 2018 |
| CVE-2018-19616 | An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element. | MEDIUM | Dec 26, 2018 |
| CVE-2018-19615 | Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A remote attacker could inject arbitrary code into a targeted userâ??s web browser to gain access to the affected device. | LOW | Dec 26, 2018 |
| CVE-2018-19614 | XSS exists in the /cmdexec/cmdexe?cmd= function in Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers. | MEDIUM | May 24, 2019 |
| CVE-2018-19613 | Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers allow CSRF. | MEDIUM | May 28, 2019 |
| CVE-2018-19612 | The /uploadfile? functionality in Westermo DR-250 Pre-5162 and DR-260 Pre-5162 routers allows remote users to upload malicious file types and execute ASP code. | MEDIUM | May 28, 2019 |
| CVE-2018-19609 | ShowDoc 2.4.1 allows remote attackers to obtain sensitive information by navigating with a modified page_id, as demonstrated by reading note content, or discovering a username in the JSON data at a diff URL. | MEDIUM | Nov 27, 2018 |
| CVE-2018-19608 | Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites. | LOW | Dec 5, 2018 |
| CVE-2018-19607 | Exiv2::isoSpeed in easyaccess.cpp in Exiv2 v0.27-RC2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. | MEDIUM | Nov 27, 2018 |
| CVE-2018-19601 | Rhymix CMS 1.9.8.1 allows SSRF via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload. | Medium | Jan 10, 2019 |
| CVE-2018-19600 | Rhymix CMS 1.9.8.1 allows XSS via an index.php?module=admin&act=dispModuleAdminFileBox SVG upload. | Low | Jan 10, 2019 |
| CVE-2018-19599 | Monstra CMS 1.6 allows XSS via an uploaded SVG document to the admin/index.php?id=filesmanager&path=uploads/ URI. NOTE: this is a discontinued product. | LOW | Mar 3, 2020 |
| CVE-2018-19598 | Statamic 2.10.3 allows XSS via First Name or Last Name to the /users URI in an \'Add new user\' request. | LOW | Dec 19, 2018 |
| CVE-2018-19597 | CMS Made Simple 2.2.8 allows XSS via an uploaded SVG document, a related issue to CVE-2017-16798. | LOW | Dec 19, 2018 |
| CVE-2018-19596 | Zurmo 3.2.4 allows HTML Injection via an admin\'s use of HTML in the report section, a related issue to CVE-2018-19506. | LOW | Dec 19, 2018 |
| CVE-2018-19595 | PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of eval with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect apps\\home\\controller\\ParserController.php parserIfLabel protection mechanism. | HIGH | Nov 27, 2018 |
| CVE-2018-19592 | The \"CLink4Service\" service is installed with Corsair Link 4.9.7.35 with insecure permissions by default. This allows unprivileged users to take control of the service and execute commands in the context of NT AUTHORITY\\SYSTEM, leading to total system takeover, a similar issue to CVE-2018-12441. | HIGH | Oct 1, 2019 |
| CVE-2018-19591 | In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function. | MEDIUM | Dec 5, 2018 |
| CVE-2018-19589 | Incorrect Access Controls of Security Officer (SO) in PKCS11 R2 provider that ships with the Utimaco CryptoServer HSM product package allows an SO authenticated to a slot to retrieve attributes of keys marked as private keys in external key storage, and also delete keys marked as private keys in external key storage. This compromises the availability of all keys configured with external key storage and may result in an economic attack in which the attacker denies legitimate users access to keys while maintaining possession of an encrypted copy (blob) of the external key store for ransom. This attack has been dubbed reverse ransomware attack and may be executed via a physical connection to the CryptoServer or remote connection if SSH or remote access to LAN CryptoServer has been compromised. The Confidentiality and Integrity of the affected keys, however, remain untarnished. | MEDIUM | Apr 11, 2019 |
| CVE-2018-19588 | Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control. | HIGH | Jul 18, 2019 |
| CVE-2018-19587 | In Cesanta Mongoose 6.13, a SIGSEGV exists in the mongoose.c mg_mqtt_add_session() function. | MEDIUM | Nov 27, 2018 |
| CVE-2018-19586 | Silverpeas 5.15 through 6.0.2 is affected by an authenticated Directory Traversal vulnerability that can be triggered during file uploads because core/webapi/upload/FileUploadData.java mishandles a StringUtil.java call. This vulnerability enables regular users to write arbitrary files on the underlying system with privileges of the user running the application. Especially, an attacker may leverage the vulnerability to write an executable JSP file in an exposed web directory to execute commands on the underlying system. | HIGH | Apr 11, 2019 |
| CVE-2018-19585 | GitLab CE/EE versions 8.18 up to 11.x before 11.3.11, 11.4.x before 11.4.8, and 11.5.x before 11.5.1 have CRLF Injection in Project Mirroring when using the Git protocol. | MEDIUM | May 20, 2019 |
| CVE-2018-19584 | GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19583 | GitLab CE/EE, versions 8.0 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, would log access tokens in the Workhorse logs, permitting administrators with access to the logs to see another user\'s token. | MEDIUM | Jul 16, 2019 |
| CVE-2018-19582 | GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19581 | GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19580 | All versions of GitLab prior to 11.5.1, 11.4.8, and 11.3.11 do not send an email to the old email address when an email address change is made. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19579 | GitLab EE version 11.5 is vulnerable to a persistent XSS vulnerability in the Operations page. This is fixed in 11.5.1. | LOW | Jul 11, 2019 |
| CVE-2018-19578 | GitLab EE, version 11.5 before 11.5.1, is vulnerable to an insecure object reference issue that permits a user with Reporter privileges to view the Jaeger Tracing Operations page. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19577 | Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19576 | GitLab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an access control issue that allows a Guest user to make changes to or delete their own comments on an issue, after the issue was made Confidential. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19575 | GitLab CE/EE, versions 10.1 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an insecure direct object reference issue that allows a user to make comments on a locked issue. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19574 | GitLab CE/EE, versions 7.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in the OAuth authorization page. | LOW | Jul 16, 2019 |
| CVE-2018-19573 | GitLab CE/EE, versions 10.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via Mermaid. | LOW | Jul 16, 2019 |
| CVE-2018-19572 | GitLab CE 8.17 and later and EE 8.3 and later have a symlink time-of-check-to-time-of-use race condition that would allow unauthorized access to files in the GitLab Pages chroot environment. This is fixed in versions 11.5.1, 11.4.8, and 11.3.11. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19571 | GitLab CE/EE, versions 8.18 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an SSRF vulnerability in webhooks. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19570 | GitLab CE/EE, versions 11.3 before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an XSS vulnerability in Markdown fields via unrecognized HTML tags. | LOW | Jul 16, 2019 |
| CVE-2018-19569 | GitLab CE/EE, versions 8.8 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an authorization vulnerability that allows access to the web-UI as a user using a Personal Access Token of any scope. | MEDIUM | Jul 11, 2019 |
| CVE-2018-19568 | A floating point exception in kodak_radc_load_raw in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code. | MEDIUM | Nov 26, 2018 |
