National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 21 min 39 sec ago

CVE-2019-12788

Mon, 06/10/2019 - 15:29
An issue was discovered in Photodex ProShow Producer v9.0.3797 (an application that runs with Administrator privileges). It is possible to perform a buffer overflow via a crafted file.
Categories: Security News

CVE-2019-12790

Mon, 06/10/2019 - 15:29
In radare2 through 3.5.1, there is a heap-based buffer over-read in the r_egg_lang_parsechar function of egg_lang.c. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because of missing length validation in libr/egg/egg.c.
Categories: Security News

CVE-2019-9879

Mon, 06/10/2019 - 14:29
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
Categories: Security News

CVE-2019-9880

Mon, 06/10/2019 - 14:29
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Categories: Security News

CVE-2019-9881

Mon, 06/10/2019 - 14:29
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Categories: Security News

CVE-2019-11517

Mon, 06/10/2019 - 14:29
WampServer before 3.1.9 has CSRF in add_vhost.php because the synchronizer pattern implemented as remediation of CVE-2018-8817 was incomplete. An attacker could add/delete any vhosts without the consent of the owner.
Categories: Security News

CVE-2019-12786

Mon, 06/10/2019 - 14:29
An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the IPAddress key.
Categories: Security News

CVE-2019-12787

Mon, 06/10/2019 - 14:29
An issue was discovered on D-Link DIR-818LW devices from 2.05.B03 to 2.06B01 BETA. There is a command injection in HNAP1 SetWanSettings via an XML injection of the value of the Gateway key.
Categories: Security News

CVE-2019-11877

Mon, 06/10/2019 - 13:29
XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRouter.20180616 allows attackers to steal credentials without being connected to the network. The attack vector is a crafted ESSID.
Categories: Security News

CVE-2019-6241

Mon, 06/10/2019 - 13:29
In Bevywise MQTTRoute 1.1 build 1018-002, a connect packet combined with a malformed unsubscribe request packet can be used to cause a Denial of Service attack against the broker.
Categories: Security News

CVE-2018-20352

Mon, 06/10/2019 - 13:29
Use-after-free vulnerability in the mg_cgi_ev_handler function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.
Categories: Security News

CVE-2018-20353

Mon, 06/10/2019 - 13:29
An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.
Categories: Security News

CVE-2018-20354

Mon, 06/10/2019 - 13:29
An invalid read of 8 bytes due to a use-after-free vulnerability during a "return" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.
Categories: Security News

CVE-2018-20355

Mon, 06/10/2019 - 13:29
An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.
Categories: Security News

CVE-2018-20356

Mon, 06/10/2019 - 13:29
An invalid read of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.
Categories: Security News

CVE-2019-12780

Mon, 06/10/2019 - 12:29
The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request to /upnp/control/basicevent1 can allow an attacker to execute commands without authentication.
Categories: Security News

CVE-2019-5243

Mon, 06/10/2019 - 11:29
There is a Clickjacking vulnerability in Huawei HG255s product. An attacker may trick user to click a link and affect the integrity of a device by exploiting this vulnerability.
Categories: Security News

CVE-2019-12387 (twisted)

Mon, 06/10/2019 - 08:29
In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
Categories: Security News

CVE-2019-9087

Fri, 06/07/2019 - 17:29
HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.
Categories: Security News

CVE-2019-12504

Fri, 06/07/2019 - 17:29
Due to unencrypted and unauthenticated data communication, the wireless presenter Inateck WP2002 is prone to keystroke injection attacks. Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system, e.g., to install malware when the target system is unattended. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected receiver of this device.
Categories: Security News

Pages