The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-10119 | sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service (use-after-free with write access) or possibly have unspecified other impact via a crafted document that uses the structured storage ole2 wrapper file format. | MEDIUM | Apr 21, 2018 |
| CVE-2018-10118 | Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php. | LOW | Apr 16, 2018 |
| CVE-2018-10117 | An issue was discovered in idreamsoft iCMS V7.0.7. There is a CSRF vulnerability that can add an admin account via admincp.php?app=members&do=save&frame=iPHP. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10115 | Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive. | MEDIUM | May 4, 2018 |
| CVE-2018-10114 | An issue was discovered in GEGL through 0.3.32. The gegl_buffer_iterate_read_simple function in buffer/gegl-buffer-access.c allows remote attackers to cause a denial of service (write access violation) or possibly have unspecified other impact via a malformed PPM file, related to improper restrictions on memory allocation in the ppm_load_read_header function in operations/external/ppm-load.c. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10113 | An issue was discovered in GEGL through 0.3.32. The process function in operations/external/ppm-load.c has unbounded memory allocation, leading to a denial of service (application crash) upon allocation failure. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10112 | An issue was discovered in GEGL through 0.3.32. The gegl_tile_backend_swap_constructed function in buffer/gegl-tile-backend-swap.c allows remote attackers to cause a denial of service (write access violation) or possibly have unspecified other impact via a malformed PNG file that is mishandled during a call to the babl_format_get_bytes_per_pixel function in babl-format.c in babl 0.1.46. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10111 | An issue was discovered in GEGL through 0.3.32. The render_rectangle function in process/gegl-processor.c has unbounded memory allocation, leading to a denial of service (application crash) upon allocation failure. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10110 | D-Link DIR-615 T1 devices allow XSS via the Add User feature. | LOW | Apr 18, 2018 |
| CVE-2018-10109 | Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the content section of a new page in the blog catalog. | LOW | Apr 16, 2018 |
| CVE-2018-10108 | D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have XSS in the Treturn parameter to /htdocs/webinc/js/bsc_sms_inbox.php. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10107 | D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have XSS in the RESULT parameter to /htdocs/webinc/js/info.php. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10106 | D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PATCH_2.07.B01) devices have permission bypass and information disclosure in /htdocs/web/getcfg.php, as demonstrated by a /getcfg.php?a=%0a_POST_SERVICES%3DDEVICE.ACCOUNT%0aAUTHORIZED_GROUP%3D1 request. | HIGH | Apr 16, 2018 |
| CVE-2018-10105 | tcpdump before 4.9.3 mishandles the printing of SMB data (issue 2 of 2). | High | Oct 11, 2019 |
| CVE-2018-10103 | tcpdump before 4.9.3 mishandles the printing of SMB data (issue 1 of 2). | High | Oct 11, 2019 |
| CVE-2018-10102 | Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | MEDIUM | Apr 18, 2018 |
| CVE-2018-10101 | Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. | MEDIUM | Apr 17, 2018 |
| CVE-2018-10100 | Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | MEDIUM | Apr 17, 2018 |
| CVE-2018-10099 | Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports. | MEDIUM | Nov 20, 2018 |
| CVE-2018-10098 | In MicroWorld eScan Internet Security Suite (ISS) for Business 14.0.1400.2029, the driver econceal.sys allows a non-privileged user to send a 0x830020E0 IOCTL request to \.econceal to cause a denial of service (BSOD). | MEDIUM | Jul 13, 2018 |
| CVE-2018-10097 | XSS exists in Domain Trader 2.5.3 via the recoverlogin.php email_address parameter. | MEDIUM | Apr 16, 2018 |
| CVE-2018-10096 | joyplus-cms 1.6.0 has XSS via the device_name parameter in a manager/admin_ajax.php?action=save flag=add request. | LOW | Apr 13, 2018 |
| CVE-2018-10095 | Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. | MEDIUM | May 22, 2018 |
| CVE-2018-10094 | SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. | HIGH | May 22, 2018 |
| CVE-2018-10093 | AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution. | HIGH | Mar 28, 2019 |
| CVE-2018-10092 | The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. | MEDIUM | May 22, 2018 |
| CVE-2018-10091 | AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow XSS. | LOW | Mar 27, 2019 |
| CVE-2018-10088 | Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impact and attack vectors, a different vulnerability than CVE-2017-16725. | HIGH | Jun 10, 2018 |
| CVE-2018-10087 | The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value. | LOW | Apr 18, 2018 |
| CVE-2018-10086 | CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses eval('function testfunction'.rand() and it is possible to bypass certain restrictions on these testfunction functions. | MEDIUM | Apr 13, 2018 |
| CVE-2018-10085 | CMS Made Simple (CMSMS) through 2.2.6 allows PHP object injection because of an unserialize call in the _get_data function of libclassesinternalclass.LoginOperations.php. By sending a crafted cookie, a remote attacker can upload and execute code, or delete files. | HIGH | Apr 13, 2018 |
| CVE-2018-10084 | CMS Made Simple (CMSMS) through 2.2.6 contains a privilege escalation vulnerability from ordinary user to admin user by arranging for the eff_uid value within $_COOKIE[$this->_loginkey] to equal 1, because an SHA-1 cryptographic protection mechanism can be bypassed. | MEDIUM | Apr 13, 2018 |
| CVE-2018-10083 | CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary file deletion vulnerability in the admin dashboard via directory traversal sequences in the val parameter within a cmd=del request, because code under modulesFilePicker does not restrict the val parameter. | MEDIUM | Apr 13, 2018 |
| CVE-2018-10082 | CMS Made Simple (CMSMS) through 2.2.7 allows physical path leakage via an invalid /index.php?page= value, a crafted URI starting with /index.php?mact=Search, or a direct request to /admin/header.php, /admin/footer.php, /lib/tasks/class.ClearCache.task.php, or /lib/tasks/class.CmsSecurityCheck.task.php. | MEDIUM | Apr 13, 2018 |
| CVE-2018-10081 | CMS Made Simple (CMSMS) through 2.2.6 contains an admin password reset vulnerability because data values are improperly compared, as demonstrated by a hash beginning with the 0e substring. | MEDIUM | Apr 13, 2018 |
| CVE-2018-10080 | Secutech RiS-11, RiS-22, and RiS-33 devices with firmware V5.07.52_es_FRI01 allow DNS settings changes via a goform/AdvSetDns?GO=wan_dns.asp request in conjunction with a crafted admin cookie. | MEDIUM | Apr 13, 2018 |
| CVE-2018-10079 | Geist WatchDog Console 3.2.2 uses a weak ACL for the C:ProgramDataWatchDog Console directory, which allows local users to modify configuration data by updating (1) config.xml or (2) servers.xml. | LOW | Apr 21, 2018 |
| CVE-2018-10078 | Cross-site scripting (XSS) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via a server description. | LOW | Apr 21, 2018 |
| CVE-2018-10077 | XML external entity (XXE) vulnerability in Geist WatchDog Console 3.2.2 allows remote authenticated administrators to read arbitrary files via crafted XML data. | MEDIUM | Apr 21, 2018 |
| CVE-2018-10076 | An issue was discovered in Zoho ManageEngine EventLog Analyzer 11.12. A Cross-Site Scripting vulnerability allows a remote attacker to inject arbitrary web script or HTML via the search functionality (the search box of the Dashboard). | MEDIUM | Jul 2, 2018 |
| CVE-2018-10075 | Cross-site scripting (XSS) vulnerability in Zoho ManageEngine EventLog Analyzer 11.12 allows remote attackers to inject arbitrary web script or HTML via the import logs feature. | MEDIUM | Jul 2, 2018 |
| CVE-2018-10074 | The hi3660_stub_clk_probe function in drivers/clk/hisilicon/clk-hi3660-stub.c in the Linux kernel before 4.16 allows local users to cause a denial of service (NULL pointer dereference) by triggering a failure of resource retrieval. | MEDIUM | Apr 12, 2018 |
| CVE-2018-10073 | joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword parameter. | LOW | Apr 12, 2018 |
| CVE-2018-10072 | windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953827bf DeviceIoControl call. | MEDIUM | Apr 12, 2018 |
| CVE-2018-10071 | windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers to cause a denial of service (BSOD) via a 0x953826DB DeviceIoControl call. | MEDIUM | Apr 12, 2018 |
| CVE-2018-10070 | A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many '�' characters, preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a router was rebooted without proper shutdown message. | HIGH | Apr 17, 2018 |
| CVE-2018-10068 | The jDownloads extension before 3.2.59 for Joomla! has XSS. | MEDIUM | Apr 12, 2018 |
| CVE-2018-10066 | An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client's internal network (for example, at site-to-site tunnels). | MEDIUM | Apr 13, 2018 |
| CVE-2018-10063 | The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to Remote Command Execution using CSV Injection that is mishandled when exporting a Leads file. | MEDIUM | Apr 12, 2018 |
| CVE-2018-10061 | Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used). | LOW | Apr 12, 2018 |
