The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2018-20889 | cPanel before 74.0.0 allows certain file-read operations via password file caching (SEC-425). | LOW | Aug 7, 2019 | n/a |
| CVE-2018-20888 | cPanel before 74.0.0 allows file modification in the context of the root account because of incorrect HTTP authentication (SEC-424). | MEDIUM | Aug 7, 2019 | n/a |
| CVE-2018-20887 | cPanel before 74.0.0 allows SQL injection during database backups (SEC-420). | HIGH | Aug 1, 2019 | n/a |
| CVE-2018-20886 | cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418). | MEDIUM | Aug 7, 2019 | n/a |
| CVE-2018-20885 | cPanel before 74.0.0 allows Apache HTTP Server configuration injection because of DocumentRoot variable interpolation (SEC-416). | MEDIUM | Aug 1, 2019 | n/a |
| CVE-2018-20884 | cPanel before 74.0.0 allows stored XSS in the WHM File Restoration interface (SEC-367). | LOW | Aug 1, 2019 | n/a |
| CVE-2018-20883 | cPanel before 74.0.8 allows FTP access during account suspension (SEC-449). | MEDIUM | Aug 2, 2019 | n/a |
| CVE-2018-20882 | cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447). | MEDIUM | Aug 8, 2019 | n/a |
| CVE-2018-20881 | cPanel before 74.0.8 allows self stored XSS on the Security Questions login page (SEC-446). | -- | Aug 1, 2019 | n/a |
| CVE-2018-20880 | cPanel before 74.0.8 mishandles account suspension because of an invalid email_accounts.json file (SEC-445). | LOW | Aug 2, 2019 | n/a |
| CVE-2018-20879 | cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444). | -- | Aug 1, 2019 | n/a |
| CVE-2018-20878 | cPanel before 74.0.8 allows stored XSS in WHM \"File and Directory Restoration\" interface (SEC-441). | -- | Aug 1, 2019 | n/a |
| CVE-2018-20877 | cPanel before 74.0.8 allows self XSS in WHM Style Upload interface (SEC-437). | -- | Aug 1, 2019 | n/a |
| CVE-2018-20876 | cPanel before 74.0.8 allows self XSS in the Site Software Moderation interface (SEC-434). | -- | Aug 1, 2019 | n/a |
| CVE-2018-20875 | cPanel before 74.0.8 allows self XSS in the WHM Security Questions interface (SEC-433). | LOW | Aug 1, 2019 | n/a |
| CVE-2018-20874 | cPanel before 74.0.8 allows self XSS in the WHM \"Create a New Account\" interface (SEC-428). | LOW | Aug 6, 2019 | n/a |
| CVE-2018-20873 | cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409). | LOW | Aug 8, 2019 | n/a |
| CVE-2018-20872 | DrayTek routers before2018-05-23 allow CSRF attacks to change DNS or DHCP settings, a related issue to CVE-2017-11649. | MEDIUM | Aug 5, 2019 | n/a |
| CVE-2018-20871 | In Univa Grid Engine before 8.6.3, when configured for Docker jobs and execd spooling on root_squash, weak file permissions (\"other\" write access) occur in certain cases (GE-6890). | MEDIUM | Aug 7, 2019 | n/a |
| CVE-2018-20870 | The WebDAV transport feature in cPanel before 76.0.8 enables debug logging (SEC-467). | LOW | Jul 31, 2019 | n/a |
| CVE-2018-20869 | cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465). | HIGH | Jul 31, 2019 | n/a |
| CVE-2018-20868 | cPanel before 76.0.8 has Stored XSS in the WHM MultiPHP Manager interface (SEC-464). | -- | Jul 30, 2019 | n/a |
| CVE-2018-20867 | cPanel before 76.0.8 has an open redirect when resetting connections (SEC-462). | -- | Jul 30, 2019 | n/a |
| CVE-2018-20866 | cPanel before 76.0.8 has Stored XSS in the WHM \"Reset a DNS Zone\" feature (SEC-461). | -- | Jul 30, 2019 | n/a |
| CVE-2018-20865 | cPanel before 76.0.8 has Self XSS in the WHM Additional Backup Destination field (SEC-459). | -- | Jul 30, 2019 | n/a |
| CVE-2018-20864 | cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454). | MEDIUM | Jul 31, 2019 | n/a |
| CVE-2018-20863 | cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452). | HIGH | Jul 31, 2019 | n/a |
| CVE-2018-20862 | cPanel before 76.0.8 unsafely performs PostgreSQL password changes (SEC-366). | LOW | Jul 31, 2019 | n/a |
| CVE-2018-20861 | libopenmpt before 0.3.11 allows a crash with certain malformed custom tunings in MPTM files. | MEDIUM | Aug 5, 2019 | n/a |
| CVE-2018-20860 | libopenmpt before 0.3.13 allows a crash with malformed MED files. | MEDIUM | Aug 2, 2019 | n/a |
| CVE-2018-20859 | edx-platform before2018-07-18 allows XSS via a response to a Chemical Equation advanced problem. | MEDIUM | Aug 5, 2019 | n/a |
| CVE-2018-20858 | Recommender before 2018-07-18 allows XSS. | MEDIUM | Aug 15, 2019 | n/a |
| CVE-2018-20857 | Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as a name_id node with user@example.com followed by <!---->. and then the attacker\'s domain name. | MEDIUM | Aug 1, 2019 | n/a |
| CVE-2018-20856 | An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled. | MEDIUM | Jul 26, 2019 | n/a |
| CVE-2018-20855 | An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace. | LOW | Jul 26, 2019 | n/a |
| CVE-2018-20854 | An issue was discovered in the Linux kernel before 4.20. drivers/phy/mscc/phy-ocelot-serdes.c has an off-by-one error with a resultant ctrl->phys out-of-bounds read. | MEDIUM | Jul 26, 2019 | n/a |
| CVE-2018-20853 | An issue was discovered in the MailPoet Newsletters (aka wysija-newsletters) plugin before 2.8.2 for WordPress. The plugin is vulnerable to SPAM attacks. | MEDIUM | Nov 8, 2019 | n/a |
| CVE-2018-20852 | http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3. | MEDIUM | Jul 14, 2019 | 10.18.44.9 (Wind River Linux LTS 18) |
| CVE-2018-20851 | Helpy before 2.2.0 allows agents to edit admins. | MEDIUM | Jul 11, 2019 | n/a |
| CVE-2018-20850 | Stormshield Network Security 2.0.0 through 2.13.0 and 3.0.0 through 3.7.1 has self-XSS in the command line interface of the SNS web server. | HIGH | Jul 8, 2019 | n/a |
| CVE-2018-20849 | Arastta eCommerce 1.6.2 is vulnerable to XSS via the PATH_INFO to the login/ URI. | -- | Jul 1, 2019 | n/a |
| CVE-2018-20848 | Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and en/achat/caddie_affichage.php, as demonstrated by an XSS payload in the couleurId[0] parameter to the latter. | MEDIUM | Jul 2, 2019 | n/a |
| CVE-2018-20847 | An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the function opj_get_encoding_parameters in openjp2/pi.c in OpenJPEG through 2.3.0 can lead to an integer overflow. | Medium | Jun 28, 2019 | n/a |
| CVE-2018-20846 | Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash). | Medium | Jun 28, 2019 | n/a |
| CVE-2018-20845 | Division-by-zero vulnerabilities in the functions pi_next_pcrl, pi_next_cprl, and pi_next_rpcl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash). | Medium | Jun 28, 2019 | n/a |
| CVE-2018-20843 | In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). | High | Jun 26, 2019 | 10.18.44.9 (Wind River Linux LTS 18) |
| CVE-2018-20841 | HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.022 and 2.000.082 allow remote command execution via shell metacharacters in the mac parameter of a protocol.csp?function=set&fname=security&opt=mac_table request. | HIGH | Jun 12, 2019 | n/a |
| CVE-2018-20840 | An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client, ID token handling can cause an unhandled exception because of misinterpretation of an integer as a string, resulting in denial-of-service and then other users can no longer login/sign-in to the affected third-party service. Once this third-party service uses Google Sign-In with google-api-cpp-client, a malicious user can trigger this client/auth/oauth2_authorization.cc vulnerability by requesting the client to receive the ID token from a Google authentication server. | MEDIUM | May 31, 2019 | n/a |
| CVE-2018-20839 | systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled. | Medium | May 30, 2019 | n/a |
| CVE-2018-20838 | ampforwp_save_steps_data in the AMP for WP plugin before 0.9.97.21 for WordPress allows stored XSS. | LOW | May 14, 2019 | n/a |
