National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 19 hours 6 min ago

CVE-2018-17921

Wed, 10/24/2018 - 18:29
SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that may allow an attacker to force-pair the device without human interaction.
Categories: Security News

CVE-2018-17923

Wed, 10/24/2018 - 18:29
SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to an attack that an attacker with physical access to the product may able to reprogram it.
Categories: Security News

CVE-2018-18551

Wed, 10/24/2018 - 18:29
ServersCheck Monitoring Software through 14.3.3 has Persistent and Reflected XSS via the sensors.html status parameter, sensors.html type parameter, sensors.html device parameter, report.html location parameter, group_delete.html group parameter, report_save.html query parameter, sensors.html location parameter, or group_delete.html group parameter.
Categories: Security News

CVE-2018-18552

Wed, 10/24/2018 - 18:29
ServersCheck Monitoring Software through 14.3.3 allows local users to cause a denial of service (menu functionality loss) by creating an LNK file that points to a second LNK file, if this second LNK file is associated with a Start menu. Ultimately, this behavior comes from a Directory Traversal bug (via the sensor_details.html id parameter) that allows creating empty files in arbitrary directories.
Categories: Security News

CVE-2018-18566

Wed, 10/24/2018 - 18:29
The SIP service in Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allow remote attackers to obtain sensitive phone configuration information by leveraging use with an on-premise installation with Skype for Business.
Categories: Security News

CVE-2018-18567

Wed, 10/24/2018 - 18:29
AudioCodes 440HD and 450HD devices 3.1.2.89 and earlier allows man-in-the-middle attackers to obtain sensitive credential information by leveraging failure to validate X.509 certificates when used with an on-premise installation with Skype for Business.
Categories: Security News

CVE-2018-18568

Wed, 10/24/2018 - 18:29
Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allows man-in-the-middle attackers to obtain sensitive credential information by leveraging failure to validate X.509 certificates when used with an on-premise installation with Skype for Business.
Categories: Security News

CVE-2018-18621

Wed, 10/24/2018 - 18:29
CommuniGate Pro 6.2 allows stored XSS via a message body in Pronto! Mail Composer, which is mishandled in /MIME/INBOX-MM-1/ if the raw email link (in .txt format) is modified and then renamed with a .html or .wssp extension.
Categories: Security News

CVE-2018-13342

Wed, 10/24/2018 - 18:29
The server API in the Anda app relies on hardcoded credentials.
Categories: Security News

CVE-2018-15750

Wed, 10/24/2018 - 18:29
Directory Traversal vulnerability in salt-api in SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allows remote attackers to determine which files exist on the server.
Categories: Security News

CVE-2018-15751

Wed, 10/24/2018 - 18:29
SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allow remote attackers to bypass authentication and execute arbitrary commands via salt-api(netapi).
Categories: Security News

CVE-2018-17903

Wed, 10/24/2018 - 18:29
SAGA1-L8B with any firmware versions prior to A0.10 are vulnerable to a replay attack and command forgery.
Categories: Security News

CVE-2018-18547

Wed, 10/24/2018 - 17:29
Vesta Control Panel through 0.9.8-22 has XSS via the edit/web/ domain parameter, the list/backup/ backup parameter, the list/rrd/ period parameter, the list/directory/ dir_a parameter, or the filename to the list/directory/ URI.
Categories: Security News

CVE-2018-18548

Wed, 10/24/2018 - 17:29
ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager.
Categories: Security News

CVE-2018-18635

Wed, 10/24/2018 - 17:29
www/guis/admin/application/controllers/UserController.php in the administration login interface in MailCleaner CE 2018.08 and 2018.09 allows XSS via the admin/login/user/message/ PATH_INFO.
Categories: Security News

CVE-2018-18636

Wed, 10/24/2018 - 17:29
XSS exists in cgi-bin/webcm on D-link DSL-2640T routers via the var:RelaodHref or var:conid parameter.
Categories: Security News

CVE-2018-9279

Wed, 10/24/2018 - 17:29
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The appliance discloses the user's password. The web page displayed by the appliance contains the password in cleartext. Passwords could be retrieved by browsing the source code of the webpage.
Categories: Security News

CVE-2018-9280

Wed, 10/24/2018 - 17:29
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The appliance discloses the SNMP version 3 user's password. The web page displayed by the appliance contains the password in cleartext. Passwords of the read and write users could be retrieved by browsing the source code of the webpage.
Categories: Security News

CVE-2018-9281

Wed, 10/24/2018 - 17:29
An issue was discovered on Eaton UPS 9PX 8000 SP devices. The administration panel is vulnerable to a CSRF attack on the change-password functionality. This vulnerability could be used to force a logged-in administrator to perform a silent password update. The affected forms are also vulnerable to Reflected Cross-Site Scripting vulnerabilities. This flaw could be triggered by driving an administrator logged into the Eaton application to a specially crafted web page. This attack could be done silently.
Categories: Security News

CVE-2016-10729

Wed, 10/24/2018 - 17:29
An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.
Categories: Security News

Pages