National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 1 day 59 min ago

CVE-2019-7671

Wed, 06/05/2019 - 15:29
Prima Systems FlexAir devices allow Authenticated Stored XSS.
Categories: Security News

CVE-2019-7672

Wed, 06/05/2019 - 15:29
Prima Systems FlexAir devices have Hard-coded Credentials.
Categories: Security News

CVE-2019-8385

Wed, 06/05/2019 - 15:29
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
Categories: Security News

CVE-2019-9156

Wed, 06/05/2019 - 15:29
Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injection.
Categories: Security News

CVE-2019-9157

Wed, 06/05/2019 - 15:29
Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure.
Categories: Security News

CVE-2019-9158

Wed, 06/05/2019 - 15:29
Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control.
Categories: Security News

CVE-2019-11988 (smart_update_manager)

Wed, 06/05/2019 - 14:29
A Remote Unauthorized Access vulnerability was identified in HPE Smart Update Manager (SUM) earlier than version 8.3.5.
Categories: Security News

CVE-2019-12196 (manageengine_netflow_analyzer)

Wed, 06/05/2019 - 14:29
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
Categories: Security News

CVE-2019-12276

Wed, 06/05/2019 - 14:29
A Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
Categories: Security News

CVE-2019-5394

Wed, 06/05/2019 - 14:29
The HPE Nonstop Maintenance Entity family of products are vulnerable to local disclosure of information, such as system layout and configuration.
Categories: Security News

CVE-2019-9187

Wed, 06/05/2019 - 14:29
ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190226 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs.
Categories: Security News

CVE-2019-9189 (flexair)

Wed, 06/05/2019 - 14:29
On Prima Systems FlexAir devices through 2.4.9api3, an authenticated user can upload Python (.py) scripts and execute arbitrary code with root privileges.
Categories: Security News

CVE-2019-11226 (cms_made_simple)

Wed, 06/05/2019 - 14:29
CMS Made Simple 2.2.10 has XSS via the m1_name parameter in "Add Article" under Content -> Content Manager -> News.
Categories: Security News

CVE-2019-11987 (smart_update_manager)

Wed, 06/05/2019 - 14:29
A security vulnerability in HPE Smart Update Manager (SUM) prior to v8.4 could allow local unauthorized elevation of privilege.
Categories: Security News

CVE-2019-11982

Wed, 06/05/2019 - 13:29
A remote cross site scripting vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39.
Categories: Security News

CVE-2019-11983

Wed, 06/05/2019 - 13:29
A remote buffer overflow vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39.
Categories: Security News

CVE-2019-12553

Wed, 06/05/2019 - 13:29
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the StrCat function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
Categories: Security News

CVE-2019-12554

Wed, 06/05/2019 - 13:29
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the WSubStr function (provided by the scripting engine) allows an attacker to cause a denial of service by crashing the application.
Categories: Security News

CVE-2019-12555

Wed, 06/05/2019 - 13:29
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the SubStr function (provided by the scripting engine) allows an attacker to cause a denial of service by crashing the application.
Categories: Security News

CVE-2019-1842

Wed, 06/05/2019 - 13:29
A vulnerability in the Secure Shell (SSH) authentication function of Cisco IOS XR Software could allow an authenticated, remote attacker to successfully log in to an affected device using two distinct usernames. The vulnerability is due to a logic error that may occur when certain sequences of actions are processed during an SSH login event on the affected device. An attacker could exploit this vulnerability by initiating an SSH session to the device with a specific sequence that presents the two usernames. A successful exploit could result in logging data misrepresentation, user enumeration, or, in certain circumstances, a command authorization bypass. See the Details section for more information.
Categories: Security News

Pages