National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 15 hours 42 min ago

CVE-2018-6758

Tue, 02/06/2018 - 13:29
The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through 2.0.15 has a stack-based buffer overflow via a large directory length.
Categories: Security News

CVE-2017-17663

Tue, 02/06/2018 - 12:29
The htpasswd implementation of mini_httpd before v1.28 and of thttpd before v2.28 is affected by a buffer overflow that can be exploited remotely to perform code execution.
Categories: Security News

CVE-2018-6389

Tue, 02/06/2018 - 12:29
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
Categories: Security News

CVE-2014-5279

Tue, 02/06/2018 - 11:29
The Docker daemon managed by boot2docker 1.2 and earlier improperly enables unauthenticated TCP connections by default, which makes it easier for remote attackers to gain privileges or execute arbitrary code from children containers.
Categories: Security News

CVE-2014-5280

Tue, 02/06/2018 - 11:29
boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication.
Categories: Security News

CVE-2014-5282

Tue, 02/06/2018 - 11:29
Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'.
Categories: Security News

CVE-2015-3618

Tue, 02/06/2018 - 11:29
Cross-site scripting (XSS) vulnerability in Nagios Business Process Intelligence (BPI) before 2.3.4 allows remote attackers to inject arbitrary web script or HTML via vectors involving index.php.
Categories: Security News

CVE-2015-3619

Tue, 02/06/2018 - 11:29
Cross-site scripting (XSS) vulnerability in assets/js/vm2admin.js in the VirtueMart component before 3.0.8 for Joomla! allows remote attackers to inject arbitrary web script or HTML via vectors involving a "double encode combination of first_name, last_name and company."
Categories: Security News

CVE-2015-4400

Tue, 02/06/2018 - 11:29
Ring (formerly DoorBot) video doorbells allow remote attackers to obtain sensitive information about the wireless network configuration by pressing the set up button and leveraging an API in the GainSpan Wi-Fi module.
Categories: Security News

CVE-2016-7394

Tue, 02/06/2018 - 11:29
tiki wiki cms groupware <=15.2 has a xss vulnerability, allow attackers steal user's cookie.
Categories: Security News

CVE-2017-17996

Tue, 02/06/2018 - 11:29
A buffer overflow vulnerability in "Add command" functionality exists in Flexense SyncBreeze Enterprise <= 10.3.14. The vulnerability can be triggered by an authenticated attacker who submits more than 5000 characters as the command name. It will cause termination of the SyncBreeze Enterprise server and possibly remote command execution with SYSTEM privilege.
Categories: Security News

CVE-2017-6198

Tue, 02/06/2018 - 11:29
The Supervisor in Sandstorm doesn't set and enforce the resource limits of a process. This allows remote attackers to cause a denial of service by launching a fork bomb in the sandbox, or by using a large amount of disk space.
Categories: Security News

CVE-2017-6199

Tue, 02/06/2018 - 11:29
A remote attacker could bypass the Sandstorm organization restriction before build 0.203 via a comma in an email-address field.
Categories: Security News

CVE-2017-6200

Tue, 02/06/2018 - 11:29
Sandstorm before build 0.203 allows remote attackers to read any specified file under /etc or /run via the sandbox backup function. The root cause is that the findFilesToZip function doesn't filter Line Feed (\n) characters in a directory name.
Categories: Security News

CVE-2017-6201

Tue, 02/06/2018 - 11:29
A Server Side Request Forgery vulnerability exists in the install app process in Sandstorm before build 0.203. A remote attacker may exploit this issue by providing a URL. It could bypass access control such as firewalls that prevent the attackers from accessing the URLs directly.
Categories: Security News

CVE-2017-15095

Tue, 02/06/2018 - 10:29
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Categories: Security News

CVE-2017-7525

Tue, 02/06/2018 - 10:29
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Categories: Security News

CVE-2018-6288

Tue, 02/06/2018 - 10:29
Cross-site Request Forgery leading to Administrative account takeover in Kaspersky Secure Mail Gateway version 1.1.
Categories: Security News

CVE-2018-6289

Tue, 02/06/2018 - 10:29
Configuration file injection leading to Code Execution as Root in Kaspersky Secure Mail Gateway version 1.1.
Categories: Security News

CVE-2018-6290

Tue, 02/06/2018 - 10:29
Local Privilege Escalation in Kaspersky Secure Mail Gateway version 1.1.
Categories: Security News

Pages