National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 23 hours 58 min ago

CVE-2018-6487

Tue, 02/20/2018 - 16:29
Remote Disclosure of Information in Micro Focus Universal CMDB Foundation Software, version numbers 10.10, 10.11, 10.20, 10.21, 10.22, 10.30, 10.31, 4.10, 4.11. This vulnerability could be remotely exploited to allow disclosure of information.
Categories: Security News

CVE-2018-7263

Tue, 02/20/2018 - 16:29
The mad_decoder_run() function in decoder.c in Underbit libmad through 0.15.1b allows remote attackers to cause a denial of service (SIGABRT because of double free or corruption) or possibly have unspecified other impact via a crafted file.
Categories: Security News

CVE-2015-6544

Tue, 02/20/2018 - 15:29
Cross-site scripting (XSS) vulnerability in application/dashboard.class.inc.php in Combodo iTop before 2.2.0-2459 allows remote attackers to inject arbitrary web script or HTML via a dashboard title.
Categories: Security News

CVE-2017-10963

Tue, 02/20/2018 - 14:29
In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobility Management) 16.11 on Samsung mobile devices, a man-in-the-middle attacker can install any application into the Knox container (without the user's knowledge) by inspecting network traffic from a Samsung server and injecting content at a certain point in the update sequence. This installed application can further leak information stored inside the Knox container to the outside world.
Categories: Security News

CVE-2018-5477

Tue, 02/20/2018 - 14:29
An Information Exposure issue was discovered in ABB netCADOPS Web Application Version 3.4 and prior, netCADOPS Web Application Version 7.1 and prior, netCADOPS Web Application Version 7.2x and prior, netCADOPS Web Application Version 8.0 and prior, and netCADOPS Web Application Version 8.1 and prior. A vulnerability exists in the password entry section of netCADOPS Web Application that may expose critical database information.
Categories: Security News

CVE-2017-6192

Tue, 02/20/2018 - 11:29
Buffer overflow in APNGDis 2.8 and earlier allows a remote attackers to cause denial of service and possibly execute arbitrary code via a crafted image containing a malformed chunk size descriptor.
Categories: Security News

CVE-2017-6193

Tue, 02/20/2018 - 11:29
Buffer overflow in APNGDis 2.8 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted image containing a malformed image size descriptor in the IHDR chunk.
Categories: Security News

CVE-2016-6272

Tue, 02/20/2018 - 10:29
SQL injection vulnerability in EPIC MyChart allows remote attackers to execute arbitrary SQL commands via the topic parameter to help.asp.
Categories: Security News

CVE-2017-16356

Tue, 02/20/2018 - 10:29
Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) before 3.3.0 allows attackers to execute JavaScript in a victim's browser by having them visit a plugins/content/sige/plugin_sige/print.php link with a crafted img, name, or caption parameter.
Categories: Security News

CVE-2018-6356

Tue, 02/20/2018 - 10:29
An issue was discovered in the Extended Choice Parameter (aka extended-choice-parameter) plugin 0.64 for Jenkins 2.89.3. The PATH_INFO filename is vulnerable to path traversal attacks via ..\ sequences to the /plugin/extended-choice-parameter/js/ URI.
Categories: Security News

CVE-2018-6459

Tue, 02/20/2018 - 10:29
The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_params.c in strongSwan 5.6.1 allows remote attackers to cause a denial of service via a crafted RSASSA-PSS signature that lacks a mask generation function parameter.
Categories: Security News

CVE-2018-6940

Tue, 02/20/2018 - 10:29
A /shell?cmd= XSS issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with CSRF.
Categories: Security News

CVE-2018-6941

Tue, 02/20/2018 - 10:29
A /shell?cmd= CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution in conjunction with XSS.
Categories: Security News

CVE-2018-7046

Tue, 02/20/2018 - 10:29
** DISPUTED ** Arbitrary code execution vulnerability in Kentico 9 through 11 allows remote authenticated users to execute arbitrary operating system commands in a dynamic .NET code evaluation context via C# code in a "Pages -> Edit -> Template -> Edit template properties -> Layout" box. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.
Categories: Security News

CVE-2018-7205

Tue, 02/20/2018 - 10:29
** DISPUTED ** Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages -> Edit template properties -> Device Layouts -> Create device layout (and edit created device layout) -> Design" screens. NOTE: the vendor has responded that there is intended functionality for authorized users to edit and update ascx code layout.
Categories: Security News

CVE-2015-2081

Tue, 02/20/2018 - 01:29
Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts.
Categories: Security News

CVE-2015-9254

Tue, 02/20/2018 - 01:29
Datto ALTO and SIRIS devices have a default VNC password.
Categories: Security News

CVE-2015-9255

Tue, 02/20/2018 - 01:29
Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information about data, software versions, configuration, and virtual machines via a request to a Web Virtual Directory.
Categories: Security News

CVE-2015-9256

Tue, 02/20/2018 - 01:29
Datto ALTO and SIRIS devices allow remote attackers to obtain sensitive information via access to device/VM restore mount points, because they do not have ACLs by default.
Categories: Security News

CVE-2017-16835

Tue, 02/20/2018 - 01:29
The "Photo,Video Locker-Calculator" application 12.0 for Android has android:allowBackup="true" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup '-f smart.calculator.gallerylock'" command.
Categories: Security News

Pages