National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 12 hours 33 min ago

CVE-2018-18935

Mon, 11/05/2018 - 04:29
An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.
Categories: Security News

CVE-2018-18936

Mon, 11/05/2018 - 04:29
An issue was discovered in PopojiCMS v2.0.1. admin_library.php allows remote attackers to delete arbitrary files via directory traversal in the po-admin/route.php?mod=library&act=delete id parameter.
Categories: Security News

CVE-2018-18937

Mon, 11/05/2018 - 04:29
An issue has been found in libIEC61850 v1.3. It is a NULL pointer dereference in ClientDataSet_getValues in client/ied_connection.c.
Categories: Security News

CVE-2018-18938

Mon, 11/05/2018 - 04:29
An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via an ontoggle attribute to details/open/ within a second input field.
Categories: Security News

CVE-2018-18939

Mon, 11/05/2018 - 04:29
An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via a seventh input field.
Categories: Security News

CVE-2018-18942

Mon, 11/05/2018 - 04:29
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form data[ThemeConfig][logo] parameter.
Categories: Security News

CVE-2018-18943

Mon, 11/05/2018 - 04:29
An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI.
Categories: Security News

CVE-2018-18949

Mon, 11/05/2018 - 04:29
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
Categories: Security News

CVE-2018-18950

Mon, 11/05/2018 - 04:29
KindEditor through 4.1.11 has a path traversal vulnerability in php/upload_json.php. Anyone can browse a file or directory in the kindeditor/attached/ folder via the path parameter without authentication.
Categories: Security News

CVE-2018-18952

Mon, 11/05/2018 - 04:29
JEECMS 9.3 has XSS via an index.do#/content/update?type=update URI.
Categories: Security News

CVE-2018-18928

Sun, 11/04/2018 - 15:29
International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
Categories: Security News

CVE-2018-18919

Sun, 11/04/2018 - 01:29
The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.
Categories: Security News

CVE-2018-18924

Sun, 11/04/2018 - 01:29
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
Categories: Security News

CVE-2018-18925

Sun, 11/04/2018 - 01:29
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
Categories: Security News

CVE-2018-18926

Sun, 11/04/2018 - 01:29
Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
Categories: Security News

CVE-2018-18927

Sun, 11/04/2018 - 01:29
An issue was discovered in PublicCMS V4.0. It allows XSS by modifying the page_list "attached" attribute (which typically has 'class="icon-globe icon-large"' in its value), as demonstrated by an 'UPDATE sys_module SET attached = "[XSS]" WHERE id="page_list"' statement.
Categories: Security News

CVE-2018-18909

Sat, 11/03/2018 - 12:29
xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of an IFRAME element within the editor's source-code view.
Categories: Security News

CVE-2018-18903

Sat, 11/03/2018 - 01:29
Vanilla 2.6.x before 2.6.4 allows remote code execution.
Categories: Security News

CVE-2018-18915

Sat, 11/03/2018 - 00:29
There is an infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp in Exiv2 0.27-RC1. A crafted input will lead to a remote denial of service attack.
Categories: Security News

CVE-2018-11062

Fri, 11/02/2018 - 18:29
Integrated Data Protection Appliance versions 2.0, 2.1, and 2.2 contain undocumented accounts named 'support' and 'admin' that are protected with default passwords. These accounts have limited privileges and can access certain system files only. A malicious user with the knowledge of the default passwords may potentially log in to the system and gain read and write access to certain system files.
Categories: Security News

Pages