National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 21 hours 20 min ago

CVE-2018-0515

Fri, 02/16/2018 - 12:29
Untrusted search path vulnerability in "FLET'S Azukeru Backup Tool" version 1.5.2.6 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
Categories: Security News

CVE-2018-0516

Fri, 02/16/2018 - 12:29
Untrusted search path vulnerability in FLET'S v4 / v6 address selection tool allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
Categories: Security News

CVE-2018-7187

Fri, 02/16/2018 - 12:29
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
Categories: Security News

CVE-2018-7186

Fri, 02/16/2018 - 11:29
Leptonica before 1.75.3 does not limit the number of characters in a %s format argument to fscanf or sscanf, which allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a long string, as demonstrated by the gplotRead and ptaReadStream functions.
Categories: Security News

CVE-2018-6943

Fri, 02/16/2018 - 09:29
core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.
Categories: Security News

CVE-2018-6944

Fri, 02/16/2018 - 09:29
core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for WordPress has a cross-site scripting vulnerability because it fails to properly sanitize user input passed to the $temp variable.
Categories: Security News

CVE-2017-14535

Thu, 02/15/2018 - 23:29
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
Categories: Security News

CVE-2017-14536

Thu, 02/15/2018 - 23:29
trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user/includes/language/langChooser.php.
Categories: Security News

CVE-2017-14537

Thu, 02/15/2018 - 23:29
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
Categories: Security News

CVE-2018-6189

Thu, 02/15/2018 - 23:29
F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors involving the Tags parameter in the JSON request body in an outbound request for the /api/latest/vulnerabilityscans/tags/batch resource, aka a "suggested metadata tags for assets" issue.
Categories: Security News

CVE-2018-6324

Thu, 02/15/2018 - 23:29
F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated Redirect via the ReturnUrl parameter that triggers upon a user login.
Categories: Security News

CVE-2018-7176

Thu, 02/15/2018 - 23:29
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
Categories: Security News

CVE-2018-1000067

Thu, 02/15/2018 - 19:29
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
Categories: Security News

CVE-2018-1000068

Thu, 02/15/2018 - 19:29
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
Categories: Security News

CVE-2018-5767

Thu, 02/15/2018 - 18:29
An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A remote, unauthenticated attacker can gain remote code execution on the device with a crafted password parameter for the COOKIE header.
Categories: Security News

CVE-2018-6316

Thu, 02/15/2018 - 18:29
Ivanti Endpoint Security (formerly HEAT Endpoint Management and Security Suite) 8.5 Update 1 and earlier allows an authenticated user with low privileges and access to the local network to bypass application whitelisting when using the Application Control module on Ivanti Endpoint Security in lockdown mode.
Categories: Security News

CVE-2017-8973

Thu, 02/15/2018 - 17:29
An improper input validation vulnerability in HPE Matrix Operating Environment version 7.6 LR1 was found.
Categories: Security News

CVE-2017-8974

Thu, 02/15/2018 - 17:29
A Local Authentication Restriction Bypass vulnerability in HPE NonStop Server version L-Series: T6533L01 through T6533L01^ADN; J-Series and H-series: T6533H02 through T6533H04^ADF and T6533H05 through T6533H05^ADL was found.
Categories: Security News

CVE-2017-8975

Thu, 02/15/2018 - 17:29
A Remote Code Execution vulnerability in Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance version v1.20 was found.
Categories: Security News

CVE-2017-8976

Thu, 02/15/2018 - 17:29
A Remote Code Execution vulnerability in Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance version v1.20 was found.
Categories: Security News

Pages