National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 7 hours 47 min ago

CVE-2018-11574

Thu, 06/14/2018 - 16:29
Improper input validation together with an integer overflow in the EAP-TLS protocol implementation in PPPD may cause a crash, information disclosure, or authentication bypass. This implementation is distributed as a patch for PPPD 0.91, and includes the affected eap.c and eap-tls.c files. Configurations that use the `refuse-app` option are unaffected.
Categories: Security News

CVE-2018-11689

Thu, 06/14/2018 - 16:29
Smart Viewer in Samsung Web Viewer for Samsung DVR is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Categories: Security News

CVE-2018-11690

Thu, 06/14/2018 - 16:29
The Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Categories: Security News

CVE-2018-8819

Thu, 06/14/2018 - 16:29
An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via the "X-Wap-Profile" HTTP header.
Categories: Security News

CVE-2018-12421

Thu, 06/14/2018 - 15:29
LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.
Categories: Security News

CVE-2018-12114

Thu, 06/14/2018 - 13:29
Maccms 10 allows CSRF via admin.php/admin/admin/info.html to add user accounts.
Categories: Security News

CVE-2018-10821

Thu, 06/14/2018 - 12:29
Cross-site scripting (XSS) vulnerability in backend/pages/modify.php in BlackCatCMS 1.3 allows remote authenticated users with the Admin role to inject arbitrary web script or HTML via the search panel.
Categories: Security News

CVE-2018-12418

Thu, 06/14/2018 - 12:29
Archive.java in Junrar before 1.0.1, as used in Apache Tika and other products, is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.
Categories: Security News

CVE-2018-4833

Thu, 06/14/2018 - 12:29
A vulnerability has been identified in RFID 181-EIP (All versions), RUGGEDCOM WiMAX (V4.4 and V4.5), SCALANCE X-200 (All versions < V5.2.3), SCALANCE X-200 IRT (All versions < V5.4.1), SCALANCE X-204RNA (All versions), SCALANCE X-300 (All versions), SCALANCE X408 (All versions), SCALANCE X414 (All versions), SIMATIC RF182C (All versions). Unprivileged remote attackers located in the same local network segment (OSI Layer 2) could gain remote code execution on the affected products by sending a specially crafted DHCP response to a client's DHCP request.
Categories: Security News

CVE-2018-4842

Thu, 06/14/2018 - 12:29
A vulnerability has been identified in SCALANCE X-200 IRT (All versions < V5.4.1), SCALANCE X300 (All versions). A remote, authenticated attacker with access to the configuration web server could be able to store script code on the web site, if the HRP redundancy option is set. This code could be executed in the web browser of victims visiting this web site (XSS), affecting its confidentiality, integrity and availability. User interaction is required for successful exploitation, as the user needs to visit the manipulated web site.
Categories: Security News

CVE-2018-4848

Thu, 06/14/2018 - 12:29
A vulnerability has been identified in SCALANCE X-200 IRT (All versions < V5.4.1), SCALANCE X300 (All versions). The integrated configuration web server of the affected Scalance X Switches could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed.
Categories: Security News

CVE-2017-17172

Thu, 06/14/2018 - 10:29
Huawei smart phones LYO-L21 with software LYO-L21C479B107, LYO-L21C479B107 have a privilege escalation vulnerability. An authenticated, local attacker can crafts malformed packets after tricking a user to install a malicious application and exploit this vulnerability when in the exception handling process. Successful exploitation may cause the attacker to obtain a higher privilege of the smart phones.
Categories: Security News

CVE-2017-17173

Thu, 06/14/2018 - 10:29
Due to insufficient parameters verification GPU driver of Mate 9 Pro Huawei smart phones with the versions before LON-AL00B 8.0.0.356(C00) has an arbitrary memory free vulnerability. An attacker can tricks a user into installing a malicious application on the smart phone, and send given parameter to driver to release special kernel memory resource. Successful exploit may result in phone crash or arbitrary code execution.
Categories: Security News

CVE-2017-17309

Thu, 06/14/2018 - 10:29
Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerability due to insufficient validation of the received HTTP requests, a remote attacker may access the local files on the device without authentication.
Categories: Security News

CVE-2018-8927

Thu, 06/14/2018 - 10:29
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.
Categories: Security News

CVE-2018-8234

Thu, 06/14/2018 - 08:29
An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-0871.
Categories: Security News

CVE-2018-8235

Thu, 06/14/2018 - 08:29
A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.
Categories: Security News

CVE-2018-8236

Thu, 06/14/2018 - 08:29
A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8110, CVE-2018-8111.
Categories: Security News

CVE-2018-8239

Thu, 06/14/2018 - 08:29
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
Categories: Security News

CVE-2018-8243

Thu, 06/14/2018 - 08:29
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8267.
Categories: Security News

Pages