National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 2 hours 10 min ago

CVE-2017-1000230

Fri, 11/17/2017 - 16:29
The Snap7 Server version 1.4.1 can be crashed when the ItemCount field of the ReadVar or WriteVar functions of the S7 protocol implementation in Snap7 are provided with unexpected input, thus resulting in denial of service attack.
Categories: Security News

CVE-2017-16880

Fri, 11/17/2017 - 16:29
The dump function in Util/TemplateHelper.php in filp whoops before 2.1.13 has XSS.
Categories: Security News

CVE-2017-4939

Fri, 11/17/2017 - 16:29
VMware Workstation (12.x before 12.5.8) installer contains a DLL hijacking issue that exists due to some DLL files loaded by the application improperly. This issue may allow an attacker to load a DLL file of the attacker's choosing that could execute arbitrary code.
Categories: Security News

CVE-2017-1000215

Fri, 11/17/2017 - 15:29
ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution
Categories: Security News

CVE-2017-14111

Fri, 11/17/2017 - 15:29
The workstation logging function in Philips IntelliSpace Cardiovascular (ISCV) 2.3.0 and earlier and Xcelera R4.1L1 and earlier records domain authentication credentials, which if accessed allows an attacker to use credentials to access the application, or other user entitlements.
Categories: Security News

CVE-2017-16845

Fri, 11/17/2017 - 15:29
hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.
Categories: Security News

CVE-2017-6168

Fri, 11/17/2017 - 14:29
On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server's private key itself.
Categories: Security News

CVE-2017-1000168

Fri, 11/17/2017 - 13:29
sodiumoxide 0.0.13 and older scalarmult() vulnerable to degenerate public keys
Categories: Security News

CVE-2017-1000169

Fri, 11/17/2017 - 13:29
QuickerBB version <= 0.7.2 is vulnerable to arbitrary file writes which can lead to remote code execution. This can lead to the complete takeover of the server hosting QuickerBB.
Categories: Security News

CVE-2017-1000170

Fri, 11/17/2017 - 13:29
jqueryFileTree 2.1.5 and older Directory Traversal
Categories: Security News

CVE-2017-13700

Fri, 11/17/2017 - 13:29
An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. There is XSS in the administration interface.
Categories: Security News

CVE-2017-13702

Fri, 11/17/2017 - 13:29
An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. Cookies can be stolen, manipulated, and reused.
Categories: Security News

CVE-2017-13703

Fri, 11/17/2017 - 13:29
An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. A denial of service may occur.
Categories: Security News

CVE-2017-1000191

Fri, 11/17/2017 - 12:29
Jool 3.5.0-3.5.1 is vulnerable to a kernel crashing packet resulting in a DOS.
Categories: Security News

CVE-2017-1000192

Fri, 11/17/2017 - 12:29
Cygnux sysPass version 2.1.7 and older is vulnerable to a Local File Inclusion in the functionality of javascript files inclusion. The attacker can read the configuration files that contain the login and password from the database, private encryption key, as well as other sensitive information.
Categories: Security News

CVE-2017-16819

Fri, 11/17/2017 - 12:29
A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.
Categories: Security News

CVE-2017-16877

Fri, 11/17/2017 - 12:29
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
Categories: Security News

CVE-2017-16875

Fri, 11/17/2017 - 11:29
An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. The ioqueue component may issue a double key unregistration after an attacker initiates a socket connection with specific settings and sequences. Such double key unregistration will trigger an integer overflow, which may cause ioqueue backends to reject future key registrations.
Categories: Security News

CVE-2017-1000203

Fri, 11/17/2017 - 10:29
ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution
Categories: Security News

CVE-2017-1000206

Fri, 11/17/2017 - 10:29
samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in potential arbitrary code execution
Categories: Security News

Pages