National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 1 hour 38 min ago

CVE-2018-18581

5 hours 30 min ago
An issue has been found in LuPng through 2017-03-10. It is a heap-based buffer over-read in internalPrintf in miniz/lupng.c.
Categories: Security News

CVE-2018-18582

5 hours 30 min ago
An issue has been found in LuPng through 2017-03-10. It is a heap-based buffer overflow in insertByte in miniz/lupng.c during a write operation for data obtained from a palette.
Categories: Security News

CVE-2018-18583

5 hours 30 min ago
An issue has been found in LuPng through 2017-03-10. It is a heap-based buffer overflow in insertByte in miniz/lupng.c during a write operation for data obtained from a swap.
Categories: Security News

CVE-2018-18578

6 hours 30 min ago
DedeCMS 5.7 SP2 allows XSS via the plus/qrcode.php type parameter.
Categories: Security News

CVE-2018-18579

6 hours 30 min ago
Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/pm.php folder parameter.
Categories: Security News

CVE-2018-13114

7 hours 30 min ago
Missing authentication and improper input validation in KERUI Wifi Endoscope Camera (YPC99) allow an attacker to execute arbitrary commands (with a length limit of 19 characters) via the "ssid" value, as demonstrated by ssid:;ping 192.168.1.2 in the body of a SETSSID command.
Categories: Security News

CVE-2018-13115

7 hours 30 min ago
Lack of an authentication mechanism in KERUI Wifi Endoscope Camera (YPC99) allows an attacker to watch or block the camera stream. The RTSP server on port 7070 accepts the command STOP to stop streaming, and the command SETSSID to disconnect a user.
Categories: Security News

CVE-2018-12246

8 hours 30 min ago
Symantec Web Isolation (WI) 1.11 prior to 1.11.21 is susceptible to a reflected cross-site scripting (XSS) vulnerability. A remote attacker can target end users protected by WI with social engineering attacks using crafted URLs for legitimate web sites. A successful attack allows injecting malicious JavaScript code into the website's rendered copy running inside the end user's web browser. It does not allow injecting code into the real (isolated) copy of the website running on the WI Threat Isolation Engine.
Categories: Security News

CVE-2018-15703

8 hours 30 min ago
Advantech WebAccess 8.3.2 and below is vulnerable to multiple reflected cross site scripting vulnerabilities. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim to supply malicious HTML or JavaScript code to WebAccess, which is then reflected back to the victim and executed by the web browser.
Categories: Security News

CVE-2018-15704

8 hours 30 min ago
Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability by sending a crafted HTTP request to broadweb/system/opcImg.asp.
Categories: Security News

CVE-2018-18557

11 hours 30 min ago
LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
Categories: Security News

CVE-2018-18559

11 hours 30 min ago
In the Linux kernel through 4.19, a use-after-free can occur due to a race condition between fanout_add from setsockopt and bind on an AF_PACKET socket. This issue exists because of the 15fe076edea787807a7cdc168df832544b58eba6 incomplete fix for a race condition. The code mishandles a certain multithreaded case involving a packet_do_bind unregister action followed by a packet_notifier register action. Later, packet_release operates on only one of the two applicable linked lists. The attacker can achieve Program Counter control.
Categories: Security News

CVE-2018-1850

15 hours 30 min ago
IBM Security Access Manager Appliance 9.0.3.1, 9.0.4.0 and 9.0.5.0 could allow unauthorized administration operations when Advanced Access Control services are running. IBM X-Force ID: 150998.
Categories: Security News

CVE-2018-18553

Sun, 10/21/2018 - 21:29
Leanote 2.6.1 has XSS via the Blog Basic Setting title field, which is mishandled during rendering of the "likes" page.
Categories: Security News

CVE-2018-18550

Sun, 10/21/2018 - 19:29
ServersCheck Monitoring Software before 14.3.4 allows SQL Injection by an authenticated user.
Categories: Security News

CVE-2018-18544

Sat, 10/20/2018 - 21:29
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16.
Categories: Security News

CVE-2018-18545

Sat, 10/20/2018 - 21:29
Fiyo CMS 2.0.7 has XSS via the dapur\apps\app_user\edit_user.php name parameter.
Categories: Security News

CVE-2018-18546

Sat, 10/20/2018 - 21:29
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
Categories: Security News

CVE-2018-18541

Sat, 10/20/2018 - 18:29
In Teeworlds before 0.6.5, connection packets could be forged. There was no challenge-response involved in the connection build up. A remote attacker could send connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets.
Categories: Security News

CVE-2018-18540

Sat, 10/20/2018 - 17:29
TeaKKi 2.7 allows XSS via a crafted onerror attribute for a picture's URL.
Categories: Security News

Pages