CVEs from 2018

3,719 normalized CVEs published or assigned in this year.

Total

3,719

critical

critical 225

high

high 266

medium

medium 224

low

low 32

% Critical

6.1%

% with KEV

2.4%

% with exploit

2.4%

Top vendors

Top packages

critical high medium low unknown

KEV Has exploit

Reset

CVE	Severity	CVSS	Risk	Published	Description
CVE-2018-18509	critical	—	9.5	—	A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signatur…
CVE-2018-5170	critical	—	9.5	—	It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. Thi…
CVE-2018-5185	critical	—	9.5	—	Plaintext of decrypted emails can leak through by user submitting an embedded form. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.
CVE-2018-5154	critical	—	9.5	—	A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < …
CVE-2018-6090	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6117	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6113	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6097	critical	—	9.5	—	multiple issues in chromium
CVE-2018-19628	critical	—	9.5	—	In Wireshark 2.6.0 to 2.6.4, the ZigBee ZCL dissector could crash. This was addressed in epan/dissectors/packet-zbee-zcl-lighting.c by preventing a divide-by-zero error.
CVE-2018-18643	critical	—	9.5	—	multiple issues in gitlab
CVE-2018-18646	critical	—	9.5	—	multiple issues in gitlab
CVE-2018-6106	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6111	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6103	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6108	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6107	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6104	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6102	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6098	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6100	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6099	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6092	critical	—	9.5	—	multiple issues in chromium
CVE-2018-6089	critical	—	9.5	—	multiple issues in chromium
CVE-2018-5158	critical	—	9.5	4y ago	Malicious PDF can inject JavaScript into PDF Viewer
CVE-2018-10895	critical	—	9.5	8y ago	qutebrowser before version 1.4.1 is vulnerable to a cross-site request forgery flaw that allows websites to access 'qute://*' URLs. A malicious website could exploit this to load a 'qute://settings/s…
CVE-2018-1273	unknown	—	1.5	8y ago	Spring Data Commons remote code injection vulnerability
CVE-2018-7685	unknown	—	—	—	The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow …
CVE-2018-19206	unknown	—	—	—	steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
CVE-2018-1000071	unknown	—	—	—	roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via networ…
CVE-2018-19205	unknown	—	—	—	Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated w…
CVE-2018-17196	unknown	—	—	4y ago	Improper Input Validation in Apache Kafka
CVE-2018-1000008	unknown	—	—	4y ago	XXE vulnerability in Jenkins PMD Plugin
CVE-2018-1000056	unknown	—	—	4y ago	Improper Restriction of XML External Entity Reference in Jenkins JUnit Plugin
CVE-2018-1000055	unknown	—	—	4y ago	XXE vulnerability in Jenkins Android Lint Plugin
CVE-2018-1000113	unknown	—	—	4y ago	Stored cross-site scripting vulnerability in Jenkins TestLink Plugin
CVE-2018-1000143	unknown	—	—	4y ago	Jenkins GitHub Pull Request Builder Plugin
CVE-2018-1000153	unknown	—	—	4y ago	Jenkins vSphere Plugin Cross-Site Request Forgery vulnerability
CVE-2018-1000175	unknown	—	—	4y ago	Jenkins HTML Publisher Plugin path traversal vulnerability
CVE-2018-1000177	unknown	—	—	4y ago	Stored XSS vulnerability in Jenkins S3 Publisher Plugin
CVE-2018-1309	unknown	—	—	4y ago	Improper Restriction of XML External Entity Reference in Apache NiFi
CVE-2018-11651	unknown	—	—	4y ago	Cross-site Scripting in Graylog
CVE-2018-1000182	unknown	—	—	4y ago	Server-Side Request Forgery in Jenkins Git Plugin
CVE-2018-1000202	unknown	—	—	4y ago	Jenkins Groovy Postbuild Plugin vulnerable to Cross-site Scripting
CVE-2018-1000190	unknown	—	—	4y ago	Exposure of sensitive information vulnerability in Jenkins Black Duck Hub Plugin
CVE-2018-1000198	unknown	—	—	4y ago	XML External Entity processing vulnerability in Jenkins Black Duck Hub Plugin
CVE-2018-1000196	unknown	—	—	4y ago	Jenkins Gitlab Hook Plugin stores and displays GitLab API token in plain text
CVE-2018-1000602	unknown	—	—	4y ago	Jenkins SAML Plugin Session Fixation vulnerability
CVE-2018-13003	unknown	—	—	4y ago	OpenTSDB Cross-site Scripting vulnerability
CVE-2018-1000604	unknown	—	—	4y ago	Jenkins Badge Plugin cross-site scripting vulnerability
CVE-2018-1000607	unknown	—	—	4y ago	Arbitrary file write vulnerability in Jenkins Fortify CloudScan Plugin
CVE-2018-1000609	unknown	—	—	4y ago	Jenkins Configuration as Code Plugin vulnerable to Exposure of Sensitive Information
CVE-2018-1000402	unknown	—	—	4y ago	Jenkins AWS CodeDeploy Plugin has Insufficiently Protected Credentials
CVE-2018-14380	unknown	—	—	4y ago	Cross-site Scripting in Graylog Server
CVE-2018-14371	unknown	—	—	4y ago	Path Traversal in Eclipse Mojarra
CVE-2018-1999031	unknown	—	—	4y ago	Jenkins meliora-testlab Plugin allows attackers with file system access to Jenkins master to obtain API key
CVE-2018-1999029	unknown	—	—	4y ago	Stored Cross-Site Scripting Vulnerability in Jenkins Shelve Project Plugin
CVE-2018-1999041	unknown	—	—	4y ago	Exposure of sensitive information vulnerability
CVE-2018-1999037	unknown	—	—	4y ago	Jenkins Resource Disposer Plugin allows attacker to stop tracking specified resource
CVE-2018-1999039	unknown	—	—	4y ago	Server-Side Request Forgery (SSRF) in Jenkins Confluence Publisher Plugin
CVE-2018-11758	unknown	—	—	4y ago	XML External Entity Reference in Apache Cayenne
CVE-2018-16277	unknown	—	—	4y ago	XWiki XSS Vulnerability
CVE-2018-11804	unknown	—	—	4y ago	Improper Input Validation in Apache Spark
CVE-2018-1000417	unknown	—	—	4y ago	CSRF vulnerability in Email Extension Template Plugin
CVE-2018-1000415	unknown	—	—	4y ago	Cross-site Scripting in Jenkins Rebuilder Plugin
CVE-2018-1000421	unknown	—	—	4y ago	Server-side request forgery vulnerability in Jenkins Mesos Plugin
CVE-2018-8718	unknown	—	—	4y ago	Cross-Site Request Forgery in Jenkins Mailer Plugin
CVE-2018-1000191	unknown	—	—	4y ago	Jenkins Black Duck Detect Plugin information exposure vulnerability
CVE-2018-1999042	unknown	—	—	4y ago	Deserialization of Untrusted Data in Jenkins
CVE-2018-1999046	unknown	—	—	4y ago	Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
CVE-2018-1000410	unknown	—	—	4y ago	Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
CVE-2018-1000406	unknown	—	—	4y ago	Path Traversal in Jenkins
CVE-2018-1000997	unknown	—	—	4y ago	Improper Limitation of a Pathname to a Restricted Directory in Jenkins
CVE-2018-1000078	unknown	—	—	4y ago	RubyGems Cross-site Scripting vulnerability
CVE-2018-1000079	unknown	—	—	4y ago	RubyGems Path Traversal vulnerability
CVE-2018-8028	unknown	—	—	4y ago	Apache Sentry may allow attacker to access/remove data from Sentry protected table
CVE-2018-8016	unknown	—	—	4y ago	Missing Authentication for Critical Function in Apache Cassandra
CVE-2018-3258	unknown	—	—	4y ago	Improper Privilege Management in MySQL Connectors Java
CVE-2018-1999044	unknown	—	—	4y ago	Infinite Loop in Jenkins Core
CVE-2018-1297	unknown	—	—	4y ago	Missing certificate validation in Apache JMeter
CVE-2018-1000610	unknown	—	—	4y ago	Jenkins Configuration as Code Plugin has Insufficiently Protected Credentials
CVE-2018-1000863	unknown	—	—	4y ago	Improper Limitation of a Pathname to a Restricted Directory in Jenkins
CVE-2018-1000600	unknown	—	—	4y ago	CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials
CVE-2018-1000608	unknown	—	—	4y ago	Jenkins z/OS Connector Plugin allows local attacker to retrieve configured password
CVE-2018-1000401	unknown	—	—	4y ago	Jenkins AWS CodePipeline Plugin has Insufficiently Protected Credentials
CVE-2018-1000408	unknown	—	—	4y ago	Improper Authorization in Jenkins
CVE-2018-1000152	unknown	—	—	4y ago	Jenkins vSphere Plugin incorrect authorization vulnerability
CVE-2018-1000146	unknown	—	—	4y ago	Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM
CVE-2018-1000106	unknown	—	—	4y ago	Incorrect Authorization in Jenkins Gerrit Trigger Plugin
CVE-2018-1000107	unknown	—	—	4y ago	Improper authorization in Jenkins Job and Node Ownership Plugin
CVE-2018-1000110	unknown	—	—	4y ago	Incorrect Authorization in Jenkins Git Plugin
CVE-2018-1000057	unknown	—	—	4y ago	Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials
CVE-2018-1002202	unknown	—	—	4y ago	Improper Limitation of a Pathname to a Restricted Directory in Zip4j
CVE-2018-14655	unknown	—	—	4y ago	Keycloak vulnerable to cross-site scripting via the state parameter
CVE-2018-14658	unknown	—	—	4y ago	Keycloak Open Redirect
CVE-2018-15761	unknown	—	—	4y ago	Cloud Foundry UAA Privilege Escalation
CVE-2018-1229	unknown	—	—	4y ago	Cross-site Scripting in Pivotal Spring Batch Admin
CVE-2018-12533	unknown	—	—	4y ago	Arbitrary code execution in Richfaces
CVE-2018-12532	unknown	—	—	4y ago	RichFaces vulnerable to Expression Language Injection
CVE-2018-1000425	unknown	—	—	4y ago	Jenkins SonarQube Scanner Plugin stored server authentication token in plain text
CVE-2018-1000419	unknown	—	—	4y ago	Jenkins HipChat Plugin allows attackers with Overall/Read access to obtain credential IDs

CVEs from 2018

Top vendors

Top products

Top packages