The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2018-17901 | LAquis SCADA Versions 4.1.0.3870 and prior, when processing project files the application fails to sanitize user input prior to performing write operations on a stack object, which may allow an attacker to execute code under the current process. | MEDIUM | Oct 16, 2018 | n/a |
| CVE-2018-17900 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers. | MEDIUM | Oct 12, 2018 | n/a |
| CVE-2018-17899 | LAquis SCADA Versions 4.1.0.3870 and prior has a path traversal vulnerability, which may allow remote code execution. | MEDIUM | Oct 16, 2018 | n/a |
| CVE-2018-17898 | Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests. This could allow an attacker to cause the controller to become unstable. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-17897 | LAquis SCADA Versions 4.1.0.3870 and prior has several integer overflow to buffer overflow vulnerabilities, which may allow remote code execution. | HIGH | Oct 16, 2018 | n/a |
| CVE-2018-17896 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The affected controllers utilize hard-coded credentials which may allow an attacker gain unauthorized access to the maintenance functions and obtain or modify information. This attack can be executed only during maintenance work. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-17895 | LAquis SCADA Versions 4.1.0.3870 and prior has several out-of-bounds read vulnerabilities, which may allow remote code execution. | HIGH | Oct 16, 2018 | n/a |
| CVE-2018-17894 | NUUO CMS all versions 3.1 and prior, The application creates default accounts that have hard-coded passwords, which could allow an attacker to gain privileged access. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-17893 | LAquis SCADA Versions 4.1.0.3870 and prior has an untrusted pointer dereference vulnerability, which may allow remote code execution. | HIGH | Oct 16, 2018 | n/a |
| CVE-2018-17892 | NUUO CMS all versions 3.1 and prior, The application implements a method of user account control that causes standard account security features to not be utilized as intended, which could allow user account compromise and may allow for remote code execution. | MEDIUM | Oct 12, 2018 | n/a |
| CVE-2018-17891 | Carestream Vue RIS, RIS Client Builds: Version 11.2 and prior running on a Windows 8.1 machine with IIS/7.5. When contacting a Carestream server where there is no Oracle TNS listener available, users will trigger an HTTP 500 error, leaking technical information an attacker could use to initiate a more elaborate attack. | MEDIUM | Oct 4, 2018 | n/a |
| CVE-2018-17890 | NUUO CMS all versions 3.1 and prior, The application uses insecure and outdated software components for functionality, which could allow arbitrary code execution. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-17889 | In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior when parsing project files, the XMLParser that ships with Wecon PIStudio is vulnerable to a XML external entity injection attack, which may allow sensitive information disclosure. | MEDIUM | Oct 8, 2018 | n/a |
| CVE-2018-17888 | NUUO CMS all versions 3.1 and prior, The application uses a session identification mechanism that could allow attackers to obtain the active session ID, which could allow arbitrary remote code execution. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-17886 | An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java could be bypassed, as demonstrated by a <svg/onLoad=confirm substring. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-12429. | LOW | Oct 2, 2018 | n/a |
| CVE-2018-17884 | XSS exists in admin/gb-dashboard-widget.php in the Gwolle Guestbook (gwolle-gb) plugin before 2.5.4 for WordPress via the PATH_INFO to wp-admin/index.php | MEDIUM | Oct 2, 2018 | n/a |
| CVE-2018-17883 | An issue was discovered in Open Ticket Request System (OTRS) 6.0.x before 6.0.12. An attacker could send an e-mail message with a malicious link to an OTRS system or an agent. If a logged-in agent opens this link, it could cause the execution of JavaScript in the context of OTRS. | -- | Apr 17, 2023 | n/a |
| CVE-2018-17882 | An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user. | MEDIUM | Mar 22, 2019 | n/a |
| CVE-2018-17881 | On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 SetPasswdSettings commands without authentication to trigger an admin password change. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2018-17880 | On D-Link DIR-823G 2018-09-19 devices, the GoAhead configuration allows /HNAP1 RunReboot commands without authentication to trigger a reboot. | HIGH | Oct 3, 2018 | n/a |
| CVE-2018-17879 | An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts. | -- | Oct 26, 2023 | n/a |
| CVE-2018-17878 | Buffer Overflow vulnerability in certain ABUS TVIP cameras allows attackers to gain control of the program via crafted string sent to sprintf() function. | -- | Oct 26, 2023 | n/a |
| CVE-2018-17877 | A lottery smart contract implementation for Greedy 599, an Ethereum gambling game, generates a random value that is predictable via an external contract call. The developer used the extcodesize() function to prevent a malicious contract from being called, but the attacker can bypass it by writing the core code in the constructor of their exploit code. Therefore, it allows attackers to always win and get rewards. | MEDIUM | Oct 23, 2018 | n/a |
| CVE-2018-17876 | A Stored XSS vulnerability has been discovered in the v5.5.0 version of the Coaster CMS product. | MEDIUM | Oct 4, 2018 | n/a |
| CVE-2018-17875 | A remote code execution issue in the ping command on Poly Trio 8800 5.7.1.4145 devices allows remote authenticated users to execute commands via unspecified vectors. | MEDIUM | Dec 28, 2021 | n/a |
| CVE-2018-17874 | ExpressionEngine before 4.3.5 has reflected XSS. | MEDIUM | Oct 1, 2018 | n/a |
| CVE-2018-17873 | An incorrect access control vulnerability in the FTP configuration of WiFiRanger devices with firmware version 7.0.8rc3 and earlier allows an attacker with adjacent network access to read the SSH Private Key and log in to the root account. | LOW | Oct 23, 2018 | n/a |
| CVE-2018-17872 | Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Insecure Permissions. | MEDIUM | Oct 4, 2018 | n/a |
| CVE-2018-17871 | Verba Collaboration Compliance and Quality Management Platform before 9.2.1.5545 has Incorrect Access Control. | MEDIUM | Oct 4, 2018 | n/a |
| CVE-2018-17870 | An issue was discovered in BTITeam XBTIT 2.5.4. The returnto parameter of account_change.php is vulnerable to an open redirect, a different vulnerability than CVE-2018-15683. | MEDIUM | Oct 1, 2018 | n/a |
| CVE-2018-17869 | DASAN H660GW devices do not implement any CSRF protection mechanism. | MEDIUM | Oct 1, 2018 | n/a |
| CVE-2018-17868 | DASAN H660GW devices have Stored XSS in the Port Forwarding functionality. | LOW | Oct 1, 2018 | n/a |
| CVE-2018-17867 | The Port Forwarding functionality on DASAN H660GW devices allows remote attackers to execute arbitrary code via shell metacharacters in the cgi-bin/adv_nat_virsvr.asp Addr parameter (aka the Local IP Address field). | HIGH | Oct 1, 2018 | n/a |
| CVE-2018-17866 | Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the Ultimate Member - User Profile & Membership plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Primary button Text or Second button text field. | MEDIUM | Oct 9, 2018 | n/a |
| CVE-2018-17865 | A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Aug 13, 2021 | n/a |
| CVE-2018-17862 | A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Aug 13, 2021 | n/a |
| CVE-2018-17861 | A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Portal/EPP allows remote attackers to inject arbitrary web script via the wsdlLib parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer | MEDIUM | Aug 13, 2021 | n/a |
| CVE-2018-17860 | Cloudera CDH has Insecure Permissions because ALL cannot be revoked.This affects 5.x through 5.15.1 and 6.x through 6.0.1. | MEDIUM | Nov 26, 2019 | n/a |
| CVE-2018-17859 | An issue was discovered in Joomla! before 3.8.13. Inadequate checks in com_contact could allow mail submission in disabled forms. | MEDIUM | Oct 9, 2018 | n/a |
| CVE-2018-17858 | An issue was discovered in Joomla! before 3.8.13. com_installer actions do not have sufficient CSRF hardening in the backend. | MEDIUM | Oct 9, 2018 | n/a |
| CVE-2018-17857 | An issue was discovered in Joomla! before 3.8.13. Inadequate checks on the tags search fields can lead to an access level violation. | MEDIUM | Oct 9, 2018 | n/a |
| CVE-2018-17856 | An issue was discovered in Joomla! before 3.8.13. com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled the ability of Administrator-level users to access com_joomlaupdate and trigger code execution. | MEDIUM | Oct 9, 2018 | n/a |
| CVE-2018-17855 | An issue was discovered in Joomla! before 3.8.13. If an attacker gets access to the mail account of an user who can approve admin verifications in the registration process, he can activate himself. | MEDIUM | Oct 9, 2018 | n/a |
| CVE-2018-17854 | SIMDComp before 0.1.1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) because it can read (and then discard) extra bytes. NOTE: this issue exists because of an incomplete fix for CVE-2018-17427. | MEDIUM | Oct 1, 2018 | n/a |
| CVE-2018-17852 | A SQL injection was discovered in WUZHI CMS 4.1.0 in coreframe/app/coupon/admin/card.php via the groupname parameter to the /index.php?m=coupon&f=card&v=detail_listing URI. | HIGH | Oct 1, 2018 | n/a |
| CVE-2018-17851 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2018-17850 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 | n/a |
| CVE-2018-17849 | Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka File Upload) request with a multipart/form-data JavaScript payload. | LOW | Oct 4, 2018 | n/a |
| CVE-2018-17848 | The html package (aka x/net/html) through 2018-09-25 in Go mishandles <math><template><mn><b></template>, leading to a panic: runtime error (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call. | MEDIUM | Oct 1, 2018 | n/a |
| CVE-2018-17847 | The html package (aka x/net/html) through 2018-09-25 in Go mishandles <svg><template><desc><t><svg></template>, leading to a panic: runtime error (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call. | MEDIUM | Oct 1, 2018 | n/a |
