National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 19 hours 8 min ago

CVE-2018-2477

Tue, 11/13/2018 - 15:29
Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.
Categories: Security News

CVE-2018-2478

Tue, 11/13/2018 - 15:29
An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands executed depend upon the privileges of the <sid>adm user.
Categories: Security News

CVE-2018-2479

Tue, 11/13/2018 - 15:29
SAP BusinessObjects Business Intelligence Platform (BIWorkspace), versions 4.1 and 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Categories: Security News

CVE-2018-2481

Tue, 11/13/2018 - 15:29
In some SAP standard roles, in SAP_ABA versions, 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, 75C to 75D, a transaction code reserved for customer is used. By implementing such transaction code a malicious user may execute unauthorized transaction functionality.
Categories: Security News

CVE-2018-2482

Tue, 11/13/2018 - 15:29
SAP Mobile Secure Android Application, Mobile-secure.apk Android client, before version 6.60.19942.0, allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Install the Mobile Secure Android client released in Mid-Oct 2018.
Categories: Security News

CVE-2018-2483

Tue, 11/13/2018 - 15:29
HTTP Verb Tampering is possible in SAP BusinessObjects Business Intelligence Platform, versions 4.1 and 4.2, Central Management Console (CMC) by changing request method.
Categories: Security News

CVE-2018-2485

Tue, 11/13/2018 - 15:29
It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
Categories: Security News

CVE-2018-2487

Tue, 11/13/2018 - 15:29
SAP Disclosure Management 10.x allows an attacker to exploit through a specially crafted zip file provided by users: When extracted in specific use cases, files within this zip file can land in different locations than the originally intended extraction point.
Categories: Security News

CVE-2018-2488

Tue, 11/13/2018 - 15:29
It is possible for a malware application installed on an Android device to send local push notifications with an empty message to SAP Fiori Client and cause the application to crash. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
Categories: Security News

CVE-2018-2489

Tue, 11/13/2018 - 15:29
Locally, without any permission, an arbitrary android application could delete the SSO configuration of SAP Fiori Client. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
Categories: Security News

CVE-2018-2490

Tue, 11/13/2018 - 15:29
The broadcast messages received by SAP Fiori Client are not protected by permissions. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.
Categories: Security News

CVE-2018-12416

Tue, 11/13/2018 - 14:29
The GridServer Broker and GridServer Director components of TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an unauthenticated user to perform cross-site request forgery (CSRF). Affected releases are TIBCO Software Inc. TIBCO DataSynapse GridServer Manager: versions up to and including 5.2.0; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; 6.2.0; 6.3.0.
Categories: Security News

CVE-2018-14655

Tue, 11/13/2018 - 14:29
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
Categories: Security News

CVE-2018-14657

Tue, 11/13/2018 - 14:29
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
Categories: Security News

CVE-2018-14658

Tue, 11/13/2018 - 14:29
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack
Categories: Security News

CVE-2018-7910

Tue, 11/13/2018 - 14:29
Some Huawei smartphones ALP-AL00B 8.0.0.118D(C00), ALP-TL00B 8.0.0.118D(C01), BLA-AL00B 8.0.0.118D(C00), BLA-L09C 8.0.0.127(C432), 8.0.0.128(C432), 8.0.0.137(C432), BLA-L29C 8.0.0.129(C432), 8.0.0.137(C432) have an authentication bypass vulnerability. When the attacker obtains the user's smartphone, the vulnerability can be used to replace the start-up program so that the attacker can obtain the information in the smartphone and achieve the purpose of controlling the smartphone.
Categories: Security News

CVE-2018-7925

Tue, 11/13/2018 - 14:29
The radio module of some Huawei smartphones Emily-AL00A The versions before 8.1.0.171(C00) have a lock-screen bypass vulnerability. An unauthenticated attacker could start third-part input method APP through certain operations to bypass lock-screen by exploit this vulnerability.
Categories: Security News

CVE-2018-7926

Tue, 11/13/2018 - 14:29
Huawei Watch 2 with versions and earlier than OWDD.180707.001.E1 have an improper authorization vulnerability. Due to improper permission configuration for specific operations, an attacker who obtained the Huawei ID bound to the watch can bypass permission verification to perform specific operations and modify some data on the watch.
Categories: Security News

CVE-2018-6260

Tue, 11/13/2018 - 12:29
NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector.
Categories: Security News

CVE-2018-16850

Tue, 11/13/2018 - 10:29
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
Categories: Security News

Pages