# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
13801 |
CVE-2018-6212 |
79 |
|
XSS |
2018-06-20 |
2018-08-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect processing of the XMLHttpRequest object. |
13802 |
CVE-2018-6209 |
20 |
|
DoS |
2018-01-24 |
2018-02-07 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxCryptMon.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019. |
13803 |
CVE-2018-6208 |
20 |
|
DoS |
2018-01-24 |
2018-02-07 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x22000d. |
13804 |
CVE-2018-6207 |
20 |
|
DoS |
2018-01-24 |
2018-02-07 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019. |
13805 |
CVE-2018-6206 |
20 |
|
DoS |
2018-01-24 |
2018-02-07 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220011. |
13806 |
CVE-2018-6205 |
20 |
|
DoS |
2018-01-24 |
2018-02-07 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxProtector32.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220009. |
13807 |
CVE-2018-6204 |
20 |
|
DoS |
2018-01-24 |
2018-02-07 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In Max Secure Anti Virus 19.0.3.019,, the driver file (SDActMon.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x220019. |
13808 |
CVE-2018-6203 |
20 |
|
DoS |
2018-01-24 |
2018-02-08 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x8300210C. |
13809 |
CVE-2018-6202 |
20 |
|
DoS |
2018-01-24 |
2018-02-08 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020F8. |
13810 |
CVE-2018-6201 |
20 |
|
DoS |
2018-01-24 |
2018-02-08 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x830020E0 or 0x830020E4. |
13811 |
CVE-2018-6200 |
601 |
|
|
2018-01-24 |
2018-02-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the redirector.php url parameter. |
13812 |
CVE-2018-6198 |
59 |
|
|
2018-01-24 |
2019-10-02 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
w3m through 0.5.3 does not properly handle temporary files when the ~/.w3m directory is unwritable, which allows a local attacker to craft a symlink attack to overwrite arbitrary files. |
13813 |
CVE-2018-6197 |
476 |
|
|
2018-01-24 |
2019-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
w3m through 0.5.3 is prone to a NULL pointer dereference flaw in formUpdateBuffer in form.c. |
13814 |
CVE-2018-6196 |
835 |
|
|
2018-01-24 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
w3m through 0.5.3 is prone to an infinite recursion flaw in HTMLlineproc0 because the feed_table_block_tag function in table.c does not prevent a negative indent value. |
13815 |
CVE-2018-6195 |
94 |
|
|
2018-01-30 |
2018-02-15 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
admin/partials/wp-splashing-admin-main.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php. |
13816 |
CVE-2018-6194 |
79 |
|
XSS |
2018-01-30 |
2018-02-14 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the Splashing Images plugin (wp-splashing-images) before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search parameter to wp-admin/upload.php. |
13817 |
CVE-2018-6193 |
79 |
|
XSS |
2018-01-24 |
2018-03-02 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, affecting the 'rtr' GET parameter in a page=graph action to cgi-bin/routers2.pl. |
13818 |
CVE-2018-6192 |
119 |
|
DoS Overflow |
2018-01-24 |
2019-06-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pdf-xref.c allows remote attackers to cause a denial of service (segmentation violation and application crash) via a crafted pdf file. |
13819 |
CVE-2018-6191 |
190 |
|
Overflow |
2018-01-24 |
2018-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an integer overflow because of incorrect exponent validation. |
13820 |
CVE-2018-6190 |
79 |
|
XSS |
2018-01-24 |
2018-02-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Netis WF2419 V3.2.41381 devices allow XSS via the Description field on the MAC Filtering page. |
13821 |
CVE-2018-6189 |
79 |
|
XSS |
2018-02-15 |
2018-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors involving the Tags parameter in the JSON request body in an outbound request for the /api/latest/vulnerabilityscans/tags/batch resource, aka a "suggested metadata tags for assets" issue. |
13822 |
CVE-2018-6188 |
200 |
|
+Info |
2018-02-04 |
2018-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. |
13823 |
CVE-2018-6187 |
119 |
|
DoS Overflow |
2018-01-24 |
2018-11-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow vulnerability in the do_pdf_save_document function in the pdf/pdf-write.c file. Remote attackers could leverage the vulnerability to cause a denial of service via a crafted pdf file. |
13824 |
CVE-2018-6185 |
310 |
|
|
2019-06-07 |
2019-06-11 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
In Cloudera Navigator Key Trustee KMS 5.12 and 5.13, incorrect default ACL values allow remote access to purge and undelete API calls on encryption zone keys. The Navigator Key Trustee KMS includes 2 API calls in addition to those in Apache Hadoop KMS: purge and undelete. The KMS ACL values for these commands are keytrustee.kms.acl.PURGE and keytrustee.kms.acl.UNDELETE respectively. The default value for the ACLs in Key Trustee KMS 5.12.0 and 5.13.0 is "*" which allows anyone with knowledge of the name of an encryption zone key and network access to the Key Trustee KMS to make those calls against known encryption zone keys. This can result in the recovery of a previously deleted, but not purged, key (undelete) or the deletion of a key in active use (purge) resulting in loss of access to encrypted HDFS data. |
13825 |
CVE-2018-6184 |
22 |
|
Dir. Trav. |
2018-01-24 |
2018-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace. |
13826 |
CVE-2018-6183 |
|
|
DoS +Priv |
2018-03-12 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
BitDefender Total Security 2018 allows local users to gain privileges or cause a denial of service by impersonating all the pipes through a use of an "insecurely created named pipe". Ensures full access to Everyone users group. |
13827 |
CVE-2018-6182 |
79 |
|
XSS Bypass |
2018-04-09 |
2018-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of POST data containing bad content with which to hit the server. |
13828 |
CVE-2018-6180 |
287 |
|
|
2018-02-08 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
A flaw in the profile section of Online Voting System 1.0 allows an unauthenticated user to set an arbitrary password for other accounts. |
13829 |
CVE-2018-6179 |
200 |
|
+Info |
2019-01-09 |
2019-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Insufficient enforcement of file access permission in the activeTab case in Extensions in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to access files on the local file system via a crafted Chrome Extension. |
13830 |
CVE-2018-6178 |
254 |
|
|
2019-01-09 |
2019-01-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Eliding from the wrong side in an infobar in DevTools in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to Hide Chrome Security UI via a crafted Chrome Extension. |
13831 |
CVE-2018-6177 |
200 |
|
+Info |
2019-06-27 |
2019-06-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Information leak in media engine in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
13832 |
CVE-2018-6176 |
20 |
|
|
2019-06-27 |
2019-06-28 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Insufficient file type enforcement in Extensions API in Google Chrome prior to 68.0.3440.75 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted Chrome Extension. |
13833 |
CVE-2018-6175 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
13834 |
CVE-2018-6174 |
190 |
|
Exec Code Overflow |
2019-01-09 |
2019-01-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Integer overflows in Swiftshader in Google Chrome prior to 68.0.3440.75 potentially allowed a remote attacker to execute arbitrary code via a crafted HTML page. |
13835 |
CVE-2018-6173 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
13836 |
CVE-2018-6172 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
13837 |
CVE-2018-6171 |
416 |
|
+Info |
2019-06-27 |
2019-07-01 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
Use after free in Bluetooth in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. |
13838 |
CVE-2018-6170 |
787 |
|
|
2019-01-09 |
2019-01-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
A bad cast in PDFium in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. |
13839 |
CVE-2018-6169 |
20 |
|
|
2019-01-09 |
2019-01-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Lack of timeout on extension install prompt in Extensions in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to trigger installation of an unwanted extension via a crafted HTML page. |
13840 |
CVE-2018-6168 |
200 |
|
+Info |
2019-06-27 |
2019-06-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Information leak in media engine in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
13841 |
CVE-2018-6167 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
13842 |
CVE-2018-6166 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
13843 |
CVE-2018-6165 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of reloads in Navigation in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
13844 |
CVE-2018-6164 |
200 |
|
+Info |
2019-01-09 |
2019-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Insufficient origin checks for CSS content in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to leak cross-origin data via a crafted HTML page. |
13845 |
CVE-2018-6163 |
|
|
|
2019-01-09 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. |
13846 |
CVE-2018-6161 |
20 |
|
Bypass |
2019-06-27 |
2019-06-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Insufficient policy enforcement in Blink in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to bypass same origin policy via a crafted HTML page. |
13847 |
CVE-2018-6160 |
20 |
|
|
2019-01-09 |
2019-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
JavaScript alert handling in Prompts in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. |
13848 |
CVE-2018-6159 |
200 |
|
+Info |
2019-06-27 |
2019-07-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Insufficient policy enforcement in ServiceWorker in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. |
13849 |
CVE-2018-6158 |
362 |
|
|
2019-01-09 |
2019-01-14 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
A race condition in Oilpan in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
13850 |
CVE-2018-6157 |
704 |
|
|
2019-06-27 |
2019-07-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Type confusion in WebRTC in Google Chrome prior to 68.0.3440.75 allowed a remote attacker to potentially exploit heap corruption via a crafted video file. |