National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 4 hours 48 min ago

CVE-2019-9657

Thu, 07/11/2019 - 15:15
Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a different issue than CVE-2018-19588. This occurs because of incorrect protection of VPN certificates (used for initiating a VPN session to the Alarm.com infrastructure) on the local camera device.
Categories: Security News

CVE-2019-9886

Thu, 07/11/2019 - 15:15
Any URLs with download_attachment.php under templates or home folders can allow arbitrary files downloaded without login in BroadLearning eClass before version ip.2.5.10.2.1.
Categories: Security News

CVE-2018-17150

Thu, 07/11/2019 - 15:15
Intersystems Cache 2017.2.2.865.0 allows XSS.
Categories: Security News

CVE-2018-17151

Thu, 07/11/2019 - 15:15
Intersystems Cache 2017.2.2.865.0 has Incorrect Access Control.
Categories: Security News

CVE-2018-17152

Thu, 07/11/2019 - 15:15
Intersystems Cache 2017.2.2.865.0 allows XXE.
Categories: Security News

CVE-2018-19588

Thu, 07/11/2019 - 15:15
Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control.
Categories: Security News

CVE-2019-10135

Thu, 07/11/2019 - 15:15
A flaw was found in the yaml.load() function in the osbs-client versions since 0.46 before 0.56.1. Insecure use of the yaml.load() function allowed the user to load any suspicious object for code execution via the parsing of malicious YAML files.
Categories: Security News

CVE-2019-10192

Thu, 07/11/2019 - 15:15
A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.
Categories: Security News

CVE-2019-10193

Thu, 07/11/2019 - 15:15
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Categories: Security News

CVE-2019-10194

Thu, 07/11/2019 - 15:15
Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts.
Categories: Security News

CVE-2019-11062

Thu, 07/11/2019 - 15:15
The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". The target server can be exploited without authentication.
Categories: Security News

CVE-2019-10651

Thu, 07/11/2019 - 14:15
An issue was discovered in the Core Server in Ivanti Endpoint Manager (EPM) 2017.3 before SU7 and 2018.x before 2018.3 SU3, with remote code execution. In other words, the issue affects 2017.3, 2018.1, and 2018.3 installations that lack the April 2019 update.
Categories: Security News

CVE-2019-11268

Thu, 07/11/2019 - 14:15
Cloud Foundry UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated malicious user with basic read privileges for one identity zone can extend those reading privileges to all other identity zones and obtain private information on users, clients, and groups in all other identity zones.
Categories: Security News

CVE-2019-13564

Thu, 07/11/2019 - 14:15
XSS exists in Ping Identity Agentless Integration Kit before 1.5.
Categories: Security News

CVE-2019-13560

Thu, 07/11/2019 - 11:15
D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to force a blank password via the apply_sec.cgi setup_wizard parameter.
Categories: Security News

CVE-2019-13561

Thu, 07/11/2019 - 11:15
D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote attackers to execute arbitrary commands via shell metacharacters in the online_firmware_check.cgi check_fw_url parameter.
Categories: Security News

CVE-2019-13562

Thu, 07/11/2019 - 11:15
D-Link DIR-655 C devices before 3.02B05 BETA03 allow XSS, as demonstrated by the /www/ping_response.cgi ping_ipaddr parameter, the /www/ping6_response.cgi ping6_ipaddr parameter, and the /www/apply_sec.cgi html_response_return_page parameter.
Categories: Security News

CVE-2019-13563

Thu, 07/11/2019 - 11:15
D-Link DIR-655 C devices before 3.02B05 BETA03 allow CSRF for the entire management console.
Categories: Security News

CVE-2019-10350

Thu, 07/11/2019 - 10:15
Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Categories: Security News

CVE-2019-10351

Thu, 07/11/2019 - 10:15
Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Categories: Security News

Pages