National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 2 hours 12 min ago

CVE-2018-1000048

Fri, 02/09/2018 - 18:29
NASA RtRetrievalFramework version v1.0 contains a CWE-502 vulnerability in Data retrieval functionality of RtRetrieval framework that can result in remote code execution. This attack appear to be exploitable via Victim tries to retrieve and process a weather data file.
Categories: Security News

CVE-2018-1000049

Fri, 02/09/2018 - 18:29
nanopool Claymore Dual Miner version 7.3 and earlier contains a Remote Code Execution vulnerability in API that can result in RCE by abusing the remote manager API. This attack appear to be exploitable via The victim must run the miner with read/write mode enabled.
Categories: Security News

CVE-2018-1000050

Fri, 02/09/2018 - 18:29
Sean Barrett stb_vorbis version 1.12 and earlier contains a Buffer Overflow vulnerability in All vorbis decoding paths. that can result in memory corruption, denial of service, comprised execution of host program. This attack appear to be exploitable via Victim must open a specially crafted Ogg Vorbis file. This vulnerability appears to have been fixed in 1.13.
Categories: Security News

CVE-2018-1000051

Fri, 02/09/2018 - 18:29
Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF.
Categories: Security News

CVE-2018-1000052

Fri, 02/09/2018 - 18:29
fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service. This attack appear to be exploitable via Specifying an invalid format specifier in the fmt::print() function results in a SIGSEGV (memory corruption, invalid write). This vulnerability appears to have been fixed in after commit 8cf30aa2be256eba07bb1cefb998c52326e846e7.
Categories: Security News

CVE-2018-1000053

Fri, 02/09/2018 - 18:29
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint.
Categories: Security News

CVE-2018-1000054

Fri, 02/09/2018 - 18:29
Jenkins CCM Plugin 3.1 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Categories: Security News

CVE-2018-1000055

Fri, 02/09/2018 - 18:29
Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.
Categories: Security News

CVE-2017-1000506

Fri, 02/09/2018 - 18:29
Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code.
Categories: Security News

CVE-2017-1000507

Fri, 02/09/2018 - 18:29
Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code.
Categories: Security News

CVE-2017-1000508

Fri, 02/09/2018 - 18:29
Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later.
Categories: Security News

CVE-2017-1000509

Fri, 02/09/2018 - 18:29
Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code.
Categories: Security News

CVE-2017-1000510

Fri, 02/09/2018 - 18:29
Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code.
Categories: Security News

CVE-2018-1000019

Fri, 02/09/2018 - 18:29
OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an authenticated attacker with any role. This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher.
Categories: Security News

CVE-2018-1000020

Fri, 02/09/2018 - 18:29
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher.
Categories: Security News

CVE-2018-1000021

Fri, 02/09/2018 - 18:29
GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).
Categories: Security News

CVE-2018-1000022

Fri, 02/09/2018 - 18:29
Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to version 3.0.5 contains a Missing Authorization vulnerability in JSONRPC interface that can result in Bitcoin theft, if the user's wallet is not password protected. This attack appear to be exploitable via The victim must visit a web page with specially crafted javascript. This vulnerability appears to have been fixed in 3.0.5.
Categories: Security News

CVE-2018-1000023

Fri, 02/09/2018 - 18:29
Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a CWE-20: input validation vulnerability in transaction broadcast endpoint that can result in Full Path Disclosure. This attack appear to be exploitable via Web request.
Categories: Security News

CVE-2018-1000024

Fri, 02/09/2018 - 18:29
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
Categories: Security News

CVE-2018-1000025

Fri, 02/09/2018 - 18:29
Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. This attack appear to be exploitable via Attacker would only need to know email address of the victim on most cases.. This vulnerability appears to have been fixed in 3.8.1.
Categories: Security News

Pages