National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 23 hours 13 min ago

CVE-2018-11559

Wed, 05/30/2018 - 00:29
DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter.
Categories: Security News

CVE-2018-11544

Tue, 05/29/2018 - 17:29
The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the prefUsername and prefUserpass strings.
Categories: Security News

CVE-2018-11545

Tue, 05/29/2018 - 17:29
md4c 0.2.5 has a heap-based buffer overflow in md_merge_lines because md_is_link_label mishandles the case of a link label composed solely of backslash escapes.
Categories: Security News

CVE-2018-11546

Tue, 05/29/2018 - 17:29
md4c 0.2.5 has a heap-based buffer over-read because md_is_named_entity_contents has an off-by-one error.
Categories: Security News

CVE-2018-11547

Tue, 05/29/2018 - 17:29
md_is_link_reference_definition_helper in md4c 0.2.5 has a heap-based buffer over-read because md_is_link_label mishandles loop termination.
Categories: Security News

CVE-2018-11548

Tue, 05/29/2018 - 17:29
An issue was discovered in EOS.IO DAWN 4.2. plugins/net_plugin/net_plugin.cpp does not limit the number of P2P connections from the same source IP address.
Categories: Security News

CVE-2018-11549

Tue, 05/29/2018 - 17:29
An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring.
Categories: Security News

CVE-2016-10681

Tue, 05/29/2018 - 16:29
roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10682

Tue, 05/29/2018 - 16:29
massif is a Phantomjs fork massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10698

Tue, 05/29/2018 - 16:29
mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2017-16003

Tue, 05/29/2018 - 16:29
windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2017-16010

Tue, 05/29/2018 - 16:29
i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later.
Categories: Security News

CVE-2017-16047

Tue, 05/29/2018 - 16:29
mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16061

Tue, 05/29/2018 - 16:29
tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16062

Tue, 05/29/2018 - 16:29
node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
Categories: Security News

CVE-2017-16153

Tue, 05/29/2018 - 16:29
gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
Categories: Security News

CVE-2018-10466

Tue, 05/29/2018 - 16:29
Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.
Categories: Security News

CVE-2018-10751

Tue, 05/29/2018 - 16:29
A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string. The Samsung ID is SVE-2018-11463.
Categories: Security News

CVE-2018-11027

Tue, 05/29/2018 - 16:29
A reflected XSS vulnerability on Ruckus ICX7450-48 devices allows remote attackers to inject arbitrary web script or HTML.
Categories: Security News

CVE-2018-11392

Tue, 05/29/2018 - 16:29
An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field. This results in arbitrary code execution by requesting the .php file.
Categories: Security News

Pages