National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 6 hours 39 min ago

CVE-2017-15408

Tue, 08/28/2018 - 15:29
Heap buffer overflow in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file that is mishandled by PDFium.
Categories: Security News

CVE-2017-15407

Tue, 08/28/2018 - 15:29
Out-of-bounds Write in the QUIC networking stack in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to gain code execution via a malicious server.
Categories: Security News

CVE-2018-3926

Tue, 08/28/2018 - 13:29
An exploitable integer underflow vulnerability exists in the ZigBee firmware update routine of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process incorrectly handles malformed files existing in its data directory, leading to an infinite loop, which eventually causes the process to crash. An attacker can send an HTTP request to trigger this vulnerability.
Categories: Security News

CVE-2014-6047

Tue, 08/28/2018 - 13:29
phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to read arbitrary attachments by leveraging incorrect "download an attachment" permission checks.
Categories: Security News

CVE-2014-6048

Tue, 08/28/2018 - 13:29
phpMyFAQ before 2.8.13 allows remote attackers to read arbitrary attachments via a direct request.
Categories: Security News

CVE-2014-6049

Tue, 08/28/2018 - 13:29
phpMyFAQ before 2.8.13 allows remote authenticated users with admin privileges to bypass authorization via a crafted instance ID parameter.
Categories: Security News

CVE-2014-6050

Tue, 08/28/2018 - 13:29
phpMyFAQ before 2.8.13 allows remote attackers to bypass the CAPTCHA protection mechanism by replaying the request.
Categories: Security News

CVE-2018-15529

Tue, 08/28/2018 - 13:29
A command injection vulnerability in maintenance.cgi in Mutiny "Monitoring Appliance" before 6.1.0-5263 allows authenticated users, with access to the admin interface, to inject arbitrary commands within the filename of a system upgrade upload.
Categories: Security News

CVE-2018-15571

Tue, 08/28/2018 - 13:29
The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.
Categories: Security News

CVE-2018-15839

Tue, 08/28/2018 - 13:29
D-Link DIR-615 devices have a buffer overflow via a long Authorization HTTP header.
Categories: Security News

CVE-2014-4932

Tue, 08/28/2018 - 13:29
Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php.
Categories: Security News

CVE-2014-6045

Tue, 08/28/2018 - 13:29
SQL injection vulnerability in phpMyFAQ before 2.8.13 allows remote authenticated users with certain permissions to execute arbitrary SQL commands via vectors involving the restore function.
Categories: Security News

CVE-2014-6046

Tue, 08/28/2018 - 13:29
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyFAQ before 2.8.13 allow remote attackers to hijack the authentication of unspecified users for requests that (1) delete active users by leveraging improper validation of CSRF tokens or that (2) delete open questions, (3) activate users, (4) publish FAQs, (5) add or delete Glossary, (6) add or delete FAQ news, or (7) add or delete comments or add votes by leveraging lack of a CSRF token.
Categories: Security News

CVE-2018-13391

Tue, 08/28/2018 - 08:29
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
Categories: Security News

CVE-2018-13395

Tue, 08/28/2018 - 08:29
Various resources in Atlassian Jira before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and before version 7.11.1 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the epic colour field of an issue while an issue is being moved.
Categories: Security News

CVE-2018-1705

Tue, 08/28/2018 - 07:29
IBM Platform Symphony 7.1 Fix Pack 1 and 7.1.1 and IBM Spectrum Symphony 7.1.2 and 7.2.0.2 contain an information disclosure vulnerability that could allow an authenticated attacker to obtain highly sensitive information. IBM X-Force ID: 146340.
Categories: Security News

CVE-2018-15919

Tue, 08/28/2018 - 04:29
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
Categories: Security News

CVE-2018-15911

Tue, 08/28/2018 - 00:29
In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code.
Categories: Security News

CVE-2017-15139

Mon, 08/27/2018 - 13:29
A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
Categories: Security News

CVE-2018-15908

Mon, 08/27/2018 - 13:29
In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files.
Categories: Security News

Pages