Input Validation に分類される脆弱性に紐づく CVE を、公開年で絞り込みます。一覧は新しい公開が上に来る並びで、CVSS / EPSS のリスク指標でもさらに絞り込めます。
直近の脆弱性公開や傾向を押さえ、セキュリティチームが高リスクな事象や悪用の可能性を素早く把握するためのビューです。
2018 年に公開され、Input Validation に分類される CVE を表示しています。 CVE の一覧へ
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2018-6333 | The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0. | 9.8 | 1.11% | 2018-12-31 | 2025-05-06 |
| CVE-2018-6347 | An issue in the Proxygen handling of HTTP2 parsing of headers/trailers can lead to a denial-of-service attack. This affects Proxygen prior to v2018.12.31.00. | 7.5 | 0.43% | 2018-12-31 | 2025-05-06 |
| CVE-2018-6343 | Proxygen fails to validate that a secondary auth manager is set before dereferencing it. That can cause a denial of service issue when parsing a Certificate/CertificateRequest HTTP2 Frame over a fizz (TLS 1.3) transport. This issue affects Proxygen releases starting from v2018.10.29.00 until the fix in v2018.11.19.00. | 7.5 | 0.27% | 2018-12-31 | 2025-05-06 |
| CVE-2018-6335 | A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests. | 7.5 | 0.69% | 2018-12-31 | 2025-05-06 |
| CVE-2018-6334 | Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below). | 9.8 | 0.63% | 2018-12-31 | 2025-05-06 |
| CVE-2018-20614 | public\install\install.php in CIM 0.9.3 allows remote attackers to reload the product via the public/install/#/step3 URI. | 7.5 | 0.65% | 2018-12-30 | 2024-11-21 |
| CVE-2018-14988 | The MXQ TV Box 4.4.2 Android device with a build fingerprint of MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys contains the Android framework with a package name of android (versionCode=19, versionName=4.4.2-20170213) that contains an exported broadcast receiver application component that, when called, will make the device inoperable. The vulnerable component named com.android.server.SystemRestoreReceiver will write a value of --restore_system\n--locale=<localeto the /cache/recovery/comm | 7.5 | 0.30% | 2018-12-28 | 2024-11-21 |
| CVE-2018-20575 | Orange Livebox 00.96.320S devices have an undocumented /system_firmwarel.stm URI for manual firmware update. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2. | 7.5 | 0.24% | 2018-12-28 | 2024-11-21 |
| CVE-2018-5203 | DEXTUploadX5 version Between 1.0.0.0 and 2.2.0.0 contains a vulnerability that could allow remote attacker to download and execute remote arbitrary file by setting the arguments to the activex method. this can be leveraged for code execution. | 9.8 | 2.00% | 2018-12-28 | 2024-11-21 |
| CVE-2018-20551 | A reachable Object::getString assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c. | 6.5 | 0.32% | 2018-12-28 | 2024-11-21 |
| CVE-2018-20539 | There is a Segmentation fault triggered by illegal address access at liblas::SpatialReference::GetGTIF() (spatialreference.cpp) in libLAS 1.8.1 that will cause a denial of service. | 6.5 | 0.29% | 2018-12-28 | 2024-11-21 |
| CVE-2018-20519 | An issue was discovered in 74cms v4.2.111. It allows remote authenticated users to read or modify arbitrary resumes by changing a job-search intention, as demonstrated by the index.php?c=Personal&a=ajax_save_basic pid parameter. | 8.1 | 0.19% | 2018-12-27 | 2024-11-21 |
| CVE-2018-20404 | ETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system board, is vulnerable to denial of service attack via IOCTL 0x9C402048, which calls memmove and constantly fails on an arbitrary (uncontrollable) address, resulting in an eternal hang or a BSoD. | 7.5 | 0.32% | 2018-12-26 | 2024-11-21 |
| CVE-2018-19869 | An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. | 6.5 | 1.30% | 2018-12-26 | 2024-11-21 |
| CVE-2018-7832 | An Improper Input Validation vulnerability exists in Pro-Face GP-Pro EX v4.08 and previous versions which could cause the execution arbitrary executable when GP-Pro EX is launched. | 8.8 | 1.01% | 2018-12-24 | 2024-11-21 |
| CVE-2018-20424 | Discuz! DiscuzX 3.4, when WeChat login is enabled, allows remote attackers to delete the common_member_wechatmp data structure via an ac=unbindmp request to plugin.php. | 5.9 | 0.20% | 2018-12-24 | 2024-11-21 |
| CVE-2018-19005 | Cscape, Version 9.80.75.3 SP3 and prior. An improper input validation vulnerability has been identified that may be exploited by processing specially crafted POC files lacking user input validation. This may allow an attacker to read confidential information and remotely execute arbitrary code. | 7.8 | 0.20% | 2018-12-20 | 2024-11-21 |
| CVE-2018-1000883 | Elixir Plug Plug version All contains a Header Injection vulnerability in Connection that can result in Given a cookie value, Headers can be added. This attack appear to be exploitable via Crafting a value to be sent as a cookie. This vulnerability appears to have been fixed in >= 1.3.5 or ~> 1.2.5 or ~> 1.1.9 or ~> 1.0.6. | 6.5 | 0.25% | 2018-12-20 | 2024-11-21 |
| CVE-2018-15330 | On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, when a virtual server using the inflate functionality to process a gzip bomb as a payload, the BIG-IP system will experience a fatal error and may cause the Traffic Management Microkernel (TMM) to produce a core file. | 7.5 | 0.61% | 2018-12-20 | 2024-11-21 |
| CVE-2018-1000873 | Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. | 6.5 | 2.19% | 2018-12-20 | 2024-11-21 |