National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 17 hours 42 min ago

CVE-2018-6893

Mon, 02/12/2018 - 09:29
controllers/member/Api.php in dayrui FineCms 5.2.0 has SQL Injection: a request with s=member,c=api,m=checktitle, and the parameter 'module' with a SQL statement, lacks effective filtering.
Categories: Security News

CVE-2018-6506

Sun, 02/11/2018 - 23:29
Cross-Site Scripting (XSS) exists in the Add Forum feature in the Administrative Panel in miniBB 3.2.2 via crafted use of an onload attribute of an SVG element in the supertitle field.
Categories: Security News

CVE-2018-6845

Sun, 02/11/2018 - 22:29
PHP Scripts Mall Multi Language Olx Clone Script 2.0.6 has XSS via the Leave Comment field.
Categories: Security News

CVE-2018-6858

Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Facebook Clone Script.
Categories: Security News

CVE-2018-6860

Sun, 02/11/2018 - 22:29
Arbitrary File Upload and Remote Code Execution exist in PHP Scripts Mall Schools Alert Management Script 2.0.2 via a profile picture.
Categories: Security News

CVE-2018-6861

Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Lawyer Search Script 1.0.2 via a profile update parameter.
Categories: Security News

CVE-2018-6862

Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Bitcoin MLM Software 1.0.2 via a profile field.
Categories: Security News

CVE-2018-6863

Sun, 02/11/2018 - 22:29
SQL Injection exists in PHP Scripts Mall Select Your College Script 2.0.2 via a Login Parameter.
Categories: Security News

CVE-2018-6864

Sun, 02/11/2018 - 22:29
Cross Site Scripting (XSS) exists in PHP Scripts Mall Multi religion Responsive Matrimonial 4.7.2 via a user profile update parameter.
Categories: Security News

CVE-2018-6880

Sun, 02/11/2018 - 22:29
EmpireCMS 6.6 through 7.2 allows remote attackers to discover the full path via an array value for a parameter to class/connect.php.
Categories: Security News

CVE-2018-6881

Sun, 02/11/2018 - 22:29
EmpireCMS 6.6 allows remote attackers to discover the full path via an array value for a parameter to admin/tool/ShowPic.php.
Categories: Security News

CVE-2018-6888

Sun, 02/11/2018 - 22:29
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token.
Categories: Security News

CVE-2018-6889

Sun, 02/11/2018 - 22:29
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
Categories: Security News

CVE-2018-6912

Sun, 02/11/2018 - 21:29
The decode_plane function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file.
Categories: Security News

CVE-2017-18174

Sun, 02/11/2018 - 13:29
In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.
Categories: Security News

CVE-2018-6892

Sun, 02/11/2018 - 13:29
An issue was discovered in CloudMe before 1.11.0. An unauthenticated remote attacker that can connect to the "CloudMe Sync" client application listening on port 8888 can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the program's execution flow and allowing arbitrary code execution.
Categories: Security News

CVE-2018-6891

Sun, 02/11/2018 - 01:29
Bookly #1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-payment_details_dialog.js.
Categories: Security News

CVE-2018-1000056

Fri, 02/09/2018 - 18:29
Jenkins JUnit Plugin 1.23 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Categories: Security News

CVE-2018-1000057

Fri, 02/09/2018 - 18:29
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.
Categories: Security News

CVE-2018-1000058

Fri, 02/09/2018 - 18:29
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
Categories: Security News

Pages