National Vulnerability Database

Subscribe to National Vulnerability Database feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 6 hours 28 min ago

CVE-2018-0377

Wed, 07/18/2018 - 19:29
A vulnerability in the Open Systems Gateway initiative (OSGi) interface of Cisco Policy Suite before 18.1.0 could allow an unauthenticated, remote attacker to directly connect to the OSGi interface. The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by directly connecting to the OSGi interface. An exploit could allow the attacker to access or change any files that are accessible by the OSGi process. Cisco Bug IDs: CSCvh18017.
Categories: Security News

CVE-2018-0379

Wed, 07/18/2018 - 19:29
Multiple vulnerabilities exist in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) and Webex Recording Format (WRF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious .arf or .wrf file via email or URL and convincing the user to launch the file in the Webex recording players. Exploitation of these vulnerabilities could allow arbitrary code execution on the system of a targeted user. These vulnerabilities affect ARF and WRF recording players available from Cisco Webex Meetings Suite sites, Cisco Webex Meetings Online sites, and Cisco Webex Meetings Server. Cisco Bug IDs: CSCvi02621, CSCvi02965, CSCvi63329, CSCvi63333, CSCvi63335, CSCvi63374, CSCvi63376, CSCvi63377, CSCvi63391, CSCvi63392, CSCvi63396, CSCvi63495, CSCvi63497, CSCvi63498, CSCvi82684, CSCvi82700, CSCvi82705, CSCvi82725, CSCvi82737, CSCvi82742, CSCvi82760, CSCvi82771, CSCvj51284, CSCvj51294.
Categories: Security News

CVE-2018-14364

Wed, 07/18/2018 - 15:29
GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before 10.8.6, and 11.x before 11.0.4 allows Directory Traversal with write access and resultant remote code execution via the GitLab projects import component.
Categories: Security News

CVE-2018-14387

Wed, 07/18/2018 - 15:29
An issue was discovered in WonderCMS before 2.5.2. An attacker can create a new session on a web application and record the associated session identifier. The attacker then causes the victim to authenticate against the server using the same session identifier. The attacker can access the user's account through the active session. The Session Fixation attack fixes a session on the victim's browser, so the attack starts before the user logs in.
Categories: Security News

CVE-2018-14388

Wed, 07/18/2018 - 15:29
joyplus-cms 1.6.0 has XSS via the manager/admin_ajax.php can_search_device array parameter.
Categories: Security News

CVE-2018-14389

Wed, 07/18/2018 - 15:29
joyplus-cms 1.6.0 has SQL Injection via the manager/admin_ajax.php val parameter.
Categories: Security News

CVE-2018-12429

Wed, 07/18/2018 - 12:29
JEESNS through 1.2.1 allows XSS attacks by ordinary users who publish articles containing a crafted payload in order to capture an administrator cookie.
Categories: Security News

CVE-2018-14082

Wed, 07/18/2018 - 12:29
PHP Scripts Mall JOB SITE (aka Job Portal) 3.0.1 has Cross-site Scripting (XSS) via the search bar.
Categories: Security News

CVE-2018-7546

Wed, 07/18/2018 - 12:29
wpsmain.dll in Kingsoft WPS Office 2016 and Jinshan PDF 10.1.0.6621 allows remote attackers to cause a denial of service via a crafted pdf file.
Categories: Security News

CVE-2018-10616

Wed, 07/18/2018 - 11:29
ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used.
Categories: Security News

CVE-2018-10877

Wed, 07/18/2018 - 11:29
Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image.
Categories: Security News

CVE-2018-14380

Wed, 07/18/2018 - 11:29
In Graylog before 2.4.6, XSS was possible in typeahead components, related to components/common/TypeAheadInput.jsx and components/search/QueryInput.ts.
Categories: Security News

CVE-2018-14381

Wed, 07/18/2018 - 11:29
Pagekit before 1.0.14 has a /user/login?redirect= open redirect vulnerability.
Categories: Security News

CVE-2018-14382

Wed, 07/18/2018 - 11:29
InstantCMS 2.10.1 has /redirect?url= XSS.
Categories: Security News

CVE-2018-8042

Wed, 07/18/2018 - 11:29
Apache Ambari, version 2.5.0 to 2.6.2, passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services. For example, Hive and Oozie.
Categories: Security News

CVE-2017-18103

Wed, 07/18/2018 - 10:29
The atlassian-http library, as used in various Atlassian products, before version 2.0.2 allows remote attackers to spoof web content in the Mozilla Firefox Browser through uploaded files that have a content-type of application/mathml+xml.
Categories: Security News

CVE-2018-5232

Wed, 07/18/2018 - 10:29
The EditIssue.jspa resource in Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.10.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuetype parameter.
Categories: Security News

CVE-2018-8011

Wed, 07/18/2018 - 10:29
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).
Categories: Security News

CVE-2018-3090

Wed, 07/18/2018 - 09:29
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
Categories: Security News

CVE-2018-3091

Wed, 07/18/2018 - 09:29
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).
Categories: Security News

Pages