The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2018-17596 | In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter. | MEDIUM | Oct 2, 2018 | n/a |
| CVE-2018-17595 | In the 5.4.0 version of the Fork CMS software, HTML Injection and Stored XSS vulnerabilities were discovered via the /backend/ajax URI. | MEDIUM | Oct 2, 2018 | n/a |
| CVE-2018-17594 | AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 2, 2018 | n/a |
| CVE-2018-17593 | AirTies Air 5453 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17591 | AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17590 | AirTies Air 5442 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17589 | AirTies Air 5650 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 2, 2018 | n/a |
| CVE-2018-17588 | AirTies Air 5021 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17587 | AirTies Air 5750 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17586 | The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the rules[0][content] parameter in a wpfc_save_timeout_pages action. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17585 | The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the wpfastestcacheoptions wpFastestCachePreload_number or wpFastestCacheLanguage parameter. | MEDIUM | Oct 5, 2018 | n/a |
| CVE-2018-17584 | The WP Fastest Cache plugin 0.8.8.5 for WordPress has CSRF via the wp-admin/admin.php wpfastestcacheoptions page. | MEDIUM | Apr 15, 2019 | n/a |
| CVE-2018-17583 | The WP Fastest Cache plugin 0.8.8.5 for WordPress has XSS via the rules[0][content] parameter in a wpfc_save_exclude_pages action. | MEDIUM | Apr 15, 2019 | n/a |
| CVE-2018-17582 | Tcpreplay v4.3.0 beta1 contains a heap-based buffer over-read. The get_next_packet() function in the send_packets.c file uses the memcpy() function unsafely to copy sequences from the source buffer pktdata to the destination (*prev_packet)->pktdata. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process a file. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2018-17581 | CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has excessive stack consumption due to a recursive function, leading to Denial of service. | MEDIUM | Sep 28, 2018 | n/a |
| CVE-2018-17580 | A heap-based buffer over-read exists in the function fast_edit_packet() in the file send_packets.c of Tcpreplay v4.3.0 beta1. This can lead to Denial of Service (DoS) and potentially Information Exposure when the application attempts to process a crafted pcap file. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2018-17575 | SWA SWA.JACAD 3.1.37 Build 024 has SQL Injection via the /academico/aluno/esqueci-minha-senha/ studentId parameter. | HIGH | Sep 28, 2018 | n/a |
| CVE-2018-17574 | An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the name field of a project. | LOW | Sep 28, 2018 | n/a |
| CVE-2018-17573 | The Wp-Insert plugin through 2.4.2 for WordPress allows upload of arbitrary PHP code because of the exposure and configuration of FCKeditor under fckeditor/editor/filemanager/browser/default/browser.html, fckeditor/editor/filemanager/connectors/test.html, and fckeditor/editor/filemanager/connectors/uploadtest.html. | HIGH | Sep 28, 2018 | n/a |
| CVE-2018-17572 | InfluxDB 0.9.5 has Reflected XSS in the Write Data module. | LOW | Mar 3, 2020 | n/a |
| CVE-2018-17571 | Vanilla before 2.6.1 allows XSS via the email field of a profile. | MEDIUM | Sep 28, 2018 | n/a |
| CVE-2018-17570 | utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption. | HIGH | Sep 26, 2018 | n/a |
| CVE-2018-17569 | network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption. | HIGH | Sep 26, 2018 | n/a |
| CVE-2018-17568 | utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an integer overflow leading to memory corruption. | HIGH | Sep 26, 2018 | n/a |
| CVE-2018-17567 | Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the include key in the _config.yml file. | MEDIUM | Sep 27, 2018 | n/a |
| CVE-2018-17566 | In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request. | HIGH | Sep 26, 2018 | n/a |
| CVE-2018-17565 | Shell Metacharacter Injection in the SSH configuration interface on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to execute arbitrary system commands and gain a root shell. | HIGH | Apr 3, 2019 | n/a |
| CVE-2018-17564 | A Malformed Input String to /cgi-bin/delete_CA on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to delete configuration parameters and gain admin access to the device. | HIGH | Apr 4, 2019 | n/a |
| CVE-2018-17563 | A Malformed Input String to /cgi-bin/api-get_line_status on Grandstream GXP16xx VoIP 1.0.4.128 phones allows attackers to dump the device\'s configuration in cleartext. | MEDIUM | Apr 4, 2019 | n/a |
| CVE-2018-17562 | Multi-Tech FaxFinder before 5.1.6 has SQL Injection via a status/call_details?oid= URI, allowing an attacker to extract the underlying database schema to further disclose other fax server information through different injection points. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2018-17560 | The admin interface of the Grouptime Teamwire Client 1.5.1 prior to 1.9.0 on-premises messenger server allows stored XSS. All backend versions prior to prod-2018-11-13-15-00-42 are affected. | MEDIUM | Jul 5, 2019 | n/a |
| CVE-2018-17559 | Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras. | -- | Oct 26, 2023 | n/a |
| CVE-2018-17558 | Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root. | -- | Oct 26, 2023 | n/a |
| CVE-2018-17557 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-20986. Reason: This candidate is a reservation duplicate of CVE-2018-20986. Notes: All CVE users should reference CVE-2018-20986 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 | n/a |
| CVE-2018-17556 | MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action. | LOW | Sep 26, 2018 | n/a |
| CVE-2018-17555 | The web component on ARRIS TG2492LG-NA 061213 devices allows remote attackers to obtain sensitive information via the /snmpGet oids parameter. | MEDIUM | Sep 26, 2018 | n/a |
| CVE-2018-17553 | An Unrestricted Upload of File with Dangerous Type issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2018-17552 | SQL Injection in login.php in Naviwebs Navigate CMS 2.8 allows remote attackers to bypass authentication via the navigate-user cookie. | HIGH | Oct 3, 2018 | n/a |
| CVE-2018-17542 | SQL Injection exists in MailSherlock before 1.5.235 for OAKlouds allows an unauthenticated user to extract the subjects of the emails of other users within the enterprise via the select_mid parameter in an letgo.cgi request. | Medium | Feb 12, 2019 | n/a |
| CVE-2018-17540 | The gmp plugin in strongSwan before 5.7.1 has a Buffer Overflow via a crafted certificate. | MEDIUM | Oct 3, 2018 | n/a |
| CVE-2018-17539 | The BGP daemon (bgpd) in all IP Infusion ZebOS versions to 7.10.6 and all OcNOS versions to 1.3.3.145 allow remote attackers to cause a denial of service attack via an autonomous system (AS) path containing 8 or more autonomous system number (ASN) elements. | MEDIUM | Jan 1, 2019 | n/a |
| CVE-2018-17538 | ** DISPUTED ** Axon (formerly TASER International) Evidence Sync 3.15.89 is vulnerable to process injection. NOTE: the vendor\'s position is that this CVE is not associated with information that supports any finding of any type of vulnerability. | HIGH | Dec 20, 2018 | n/a |
| CVE-2018-17537 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. blog-viewer has stored XSS during repository browsing, if package.json exists. . | -- | Apr 17, 2023 | n/a |
| CVE-2018-17536 | An issue was discovered in GitLab Community and Enterprise Edition before 11.1.7, 11.2.x before 11.2.4, and 11.3.x before 11.3.1. There is stored XSS on the merge request page via project import. | -- | Apr 17, 2023 | n/a |
| CVE-2018-17534 | Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges. | HIGH | Oct 15, 2018 | n/a |
| CVE-2018-17533 | Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross-site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization. | MEDIUM | Oct 15, 2018 | n/a |
| CVE-2018-17532 | Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges. | HIGH | Oct 15, 2018 | n/a |
| CVE-2018-17502 | The Receptionist for iPad could allow a local attacker to obtain sensitive information, caused by an error in the contact.json file. An attacker could exploit this vulnerability to obtain the contact names, phone numbers and emails. | LOW | Mar 27, 2019 | n/a |
| CVE-2018-17500 | Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of hardcoded OAuth Creds in plaintext. An attacker could exploit this vulnerability to obtain sensitive information. | LOW | Mar 28, 2019 | n/a |
| CVE-2018-17499 | Envoy Passport for Android and Envoy Passport for iPhone could allow a local attacker to obtain sensitive information, caused by the storing of unencrypted data in logs. An attacker could exploit this vulnerability to obtain two API keys, a token and other sensitive information. | LOW | Mar 27, 2019 | n/a |
