LiveActive security incident?Get immediate response
CVE archive

December 2018

Browse CVE records published in December 2018, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1298 matching CVEs · Page 2 of 26.

High · CVSS 7.8

CVE-2018-6336: An issue was discovered in osquery.

An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7

Published Dec 31, 2018 · Updated May 6, 2025

Medium · CVSS 6.1

CVE-2018-6668: Bypass Application Control with simple DLL

A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows execution bypass, for example, with simple DLL through interpreters such as PowerShell.

Published Dec 31, 2018 · Updated May 6, 2025

Medium · CVSS 6.1

CVE-2018-6341: React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attr...

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Published Dec 31, 2018 · Updated May 6, 2025

Critical · CVSS 9.8

CVE-2018-6342: react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, inclu...

react-dev-utils on Windows allows developers to run a local webserver for accepting various commands, including a command to launch an editor. The input to that command was not properly sanitized, allowing an attacker who can make a network request to the server (either via CSRF or by direct request) to execute arbitrary commands on the targeted system. This issue affects multiple branches: 1.x.x prior to 1.0.4, 2.x.x prior to 2.0.2, 3.x.x prior to 3.1.2, 4.x.x prior to 4.2.2, and 5.x.x prior to 5.0.2.

Published Dec 31, 2018 · Updated May 6, 2025

Medium · CVSS 6.1

CVE-2018-1000874: PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in a...

PHP cebe markdown parser version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in all distributed parsers allowing a malicious crafted script to be executed that can result in the lose of user data and sensitive user information. This attack can be exploited by crafting a three backtick wrapped payload with a character in front: L: "```<script>alert();</script>```". NOTE: This has been argued as a non-issue (see references) since it is not the parser's job to sanitize malicious code from a parsed document

Published Dec 20, 2018 · Updated May 6, 2025

Critical · CVSS 9.8

CVE-2018-6333: The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when...

The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.

Published Dec 31, 2018 · Updated May 6, 2025

Low · CVSS 3

CVE-2018-25049: email-existence index.js redos

A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is 0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56. It is recommended to apply a patch to fix this issue. VDB-216854 is the identifier assigned to this vulnerability.

Published Dec 27, 2022 · Updated Apr 11, 2025

Low · CVSS 3.5

CVE-2018-25050: Harvest Chosen abstract-chosen.coffee AbstractChosen cross site scripting

A vulnerability, which was classified as problematic, has been found in Harvest Chosen up to 1.8.6. Affected by this issue is the function AbstractChosen of the file coffee/lib/abstract-chosen.coffee. The manipulation of the argument group_label leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.7 is able to address this issue. The name of the patch is 77fd031d541e77510268d1041ed37798fdd1017e. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216956.

Published Dec 28, 2022 · Updated Apr 10, 2025

Medium · CVSS 6.5

CVE-2018-25106: webuidesigning NebulaX Theme Legacy.php nebula_send_to_hubspot sql injection

A vulnerability, which was classified as critical, has been found in webuidesigning NebulaX Theme up to 5.0 on WordPress. This issue affects the function nebula_send_to_hubspot of the file libs/Legacy/Legacy.php. The manipulation leads to sql injection. The attack may be initiated remotely. The patch is named 41230a81db0f671c570c2644bc2f80565ca83c5a. It is recommended to apply a patch to fix this issue.

Published Dec 23, 2024 · Updated Dec 24, 2024

Medium · CVSS 6.7

CVE-2018-9391: In update_gps_sv and output_vzw_debug of vendor/mediatek/proprietary/hardware/connectivity/gps/gps_hal/...

In update_gps_sv and output_vzw_debug of vendor/mediatek/proprietary/hardware/connectivity/gps/gps_hal/src/gpshal_wor ker.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Published Dec 5, 2024 · Updated Dec 6, 2024

High · CVSS 7.8

CVE-2018-9395: In mtk_cfg80211_vendor_packet_keep_alive_start and mtk_cfg80211_vendor_set_config of drivers/misc/mediatek/...

In mtk_cfg80211_vendor_packet_keep_alive_start and mtk_cfg80211_vendor_set_config of drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c, there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Published Dec 4, 2024 · Updated Dec 5, 2024

High · CVSS 7.8

CVE-2018-9400: In gt1x_debug_write_proc and gt1x_tool_write of drivers/input/touchscreen/mediatek/GT1151/gt1x_generic....

In gt1x_debug_write_proc and gt1x_tool_write of drivers/input/touchscreen/mediatek/GT1151/gt1x_generic.c and gt1x_tools.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Published Dec 4, 2024 · Updated Dec 5, 2024