National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 15 hours 12 min ago

CVE-2018-4202

Fri, 06/08/2018 - 14:29
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. The issue involves the "iBooks" component. It allows man-in-the-middle attackers to spoof a password prompt.
Categories: Security News

CVE-2018-4204

Fri, 06/08/2018 - 14:29
An issue was discovered in certain Apple products. iOS before 11.4 is affected. iOS before 11.3.1 is affected. Safari before 11.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
Categories: Security News

CVE-2011-4190

Fri, 06/08/2018 - 13:29
The kdump implementation is missing the host key verification in the kdump and mkdumprd OpenSSH integration of kdump prior to version 2012-01-20. This is similar to CVE-2011-3588, but different in that the kdump implementation is specific to SUSE. A remote malicious kdump server could use this flaw to impersonate the correct kdump server to obtain security sensitive information (kdump core files).
Categories: Security News

CVE-2012-0433

Fri, 06/08/2018 - 13:29
The install-chef-suse.sh script shipped with crowbar before 2012-10-02 is creating files containing confidential data with insecure permissions, allowing local users to read confidential data.
Categories: Security News

CVE-2013-3703

Fri, 06/08/2018 - 13:29
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
Categories: Security News

CVE-2014-0593

Fri, 06/08/2018 - 13:29
The set_version script as shipped with obs-service-set_version is a source validator for the Open Build Service (OBS). In versions prior to 0.5.3-1.1 this script did not properly sanitize the input provided by the user, allowing for code execution on the executing server.
Categories: Security News

CVE-2014-0594

Fri, 06/08/2018 - 13:29
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.
Categories: Security News

CVE-2014-5220

Fri, 06/08/2018 - 13:29
The mdcheck script of the mdadm package for openSUSE 13.2 prior to version 3.3.1-5.14.1 does not properly sanitize device names, which allows local attackers to execute arbitrary commands as root.
Categories: Security News

CVE-2018-10358

Fri, 06/08/2018 - 10:29
A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x2200B4 in the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Categories: Security News

CVE-2018-10359

Fri, 06/08/2018 - 10:29
A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x220078 in the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Categories: Security News

CVE-2018-10505

Fri, 06/08/2018 - 10:29
A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x220008 in the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Categories: Security News

CVE-2018-10506

Fri, 06/08/2018 - 10:29
A out-of-bounds read information disclosure vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within the processing of IOCTL 0x220004 by the TMWFP driver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Categories: Security News

CVE-2018-12066

Fri, 06/08/2018 - 10:29
BIRD Internet Routing Daemon before 1.6.4 allows local users to cause a denial of service (stack consumption and daemon crash) via BGP mask expressions in birdc.
Categories: Security News

CVE-2018-8916

Fri, 06/08/2018 - 09:29
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
Categories: Security News

CVE-2018-8925

Fri, 06/08/2018 - 09:29
Cross-site request forgery (CSRF) vulnerability in admin/user.php in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote attackers to hijack the authentication of administrators via the (1) username, (2) password, (3) admin, (4) action, (5) uid, or (6) modify_admin parameter.
Categories: Security News

CVE-2018-8926

Fri, 06/08/2018 - 09:29
Permissive regular expression vulnerability in synophoto_dsm_user in Synology Photo Station before 6.8.5-3471 and before 6.3-2975 allows remote authenticated users to conduct privilege escalation attacks via the fullname parameter.
Categories: Security News

CVE-2011-3172

Fri, 06/08/2018 - 09:29
A vulnerability in pam_modules of SUSE SUSE Linux Enterprise allows attackers to log into accounts that should have been disabled. Affected releases are SUSE SUSE Linux Enterprise: versions prior to 12.
Categories: Security News

CVE-2017-12075

Fri, 06/08/2018 - 09:29
Command injection vulnerability in EZ-Internet in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to execute arbitrary command via the username parameter.
Categories: Security News

CVE-2017-12078

Fri, 06/08/2018 - 09:29
Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter.
Categories: Security News

CVE-2017-1405

Fri, 06/08/2018 - 09:29
IBM Security Identity Manager Virtual Appliance 7.0 processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code. IBM X-Force ID: 127392.
Categories: Security News

Pages