NVD Vulnerabilities

Subscribe to NVD Vulnerabilities feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 4 hours 49 min ago

CVE-2018-10841

Wed, 06/20/2018 - 14:29
glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
Categories: NVD

CVE-2018-12599

Wed, 06/20/2018 - 14:29
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
Categories: NVD

CVE-2018-12600

Wed, 06/20/2018 - 14:29
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
Categories: NVD

CVE-2018-12601

Wed, 06/20/2018 - 14:29
There is a heap-based buffer overflow in ReadImage in input-tga.ci in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
Categories: NVD

CVE-2018-5428

Wed, 06/20/2018 - 14:29
The version control adapters component of TIBCO Data Virtualization (formerly known as Cisco Information Server) contains vulnerabilities that may allow for arbitrary command execution. Affected releases are TIBCO Data Virtualization: 7.0.5; 7.0.6.
Categories: NVD

CVE-2018-5236

Wed, 06/20/2018 - 12:29
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 may be susceptible to a race condition (or race hazard). This type of issue occurs in software where the output is dependent on the sequence or timing of other uncontrollable events.
Categories: NVD

CVE-2018-5237

Wed, 06/20/2018 - 12:29
Symantec Endpoint Protection prior to 14 RU1 MP1 or 12.1 RU6 MP10 could be susceptible to a privilege escalation vulnerability, which is a type of issue that allows a user to gain elevated access to resources that are normally protected at lower access levels.
Categories: NVD

CVE-2018-6211

Wed, 06/20/2018 - 12:29
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, OS command injection is possible as a result of incorrect processing of the res_buf parameter to index.cgi.
Categories: NVD

CVE-2018-6212

Wed, 06/20/2018 - 12:29
On D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, a reflected Cross-Site Scripting (XSS) attack is possible as a result of missed filtration for special characters in the "Search" field and incorrect processing of the XMLHttpRequest object.
Categories: NVD

CVE-2018-6213

Wed, 06/20/2018 - 12:29
In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account.
Categories: NVD

CVE-2018-9036

Wed, 06/20/2018 - 11:29
CheckSec Canopy 3.x before 3.0.7 has stored XSS via the Login Page Disclaimer, allowing attacks by low-privileged users against higher-privileged users.
Categories: NVD

CVE-2018-12327

Wed, 06/20/2018 - 10:29
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.
Categories: NVD

CVE-2018-12558

Wed, 06/20/2018 - 10:29
The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
Categories: NVD

CVE-2018-6563

Wed, 06/20/2018 - 10:29
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti-CSRF token.
Categories: NVD

CVE-2018-1120

Wed, 06/20/2018 - 09:29
A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).
Categories: NVD

CVE-2018-1132

Wed, 06/20/2018 - 09:29
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp. SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not packaged in the opendaylight package included in RHEL.
Categories: NVD

CVE-2018-12594

Wed, 06/20/2018 - 09:29
Reliable Controls MACH-ProWebCom 7.80 devices allow remote attackers to obtain sensitive information via a direct request for the data/fileinfo.xml or job/job.json file, as demonstrated the Master Password field.
Categories: NVD

CVE-2018-12445

Wed, 06/20/2018 - 08:29
** DISPUTED ** An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The FingerprintManager class for Biometric validation allows authentication bypass through the callback method from onAuthenticationFailed to onAuthenticationSucceeded with null, because the fingerprint API in conjunction with the Android keyGenerator class is not implemented. In other words, an attacker could authenticate with an arbitrary fingerprint. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
Categories: NVD

CVE-2018-12446

Wed, 06/20/2018 - 08:29
** DISPUTED ** An issue was discovered in the com.dropbox.android application 98.2.2 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
Categories: NVD

CVE-2018-12590

Wed, 06/20/2018 - 08:29
Ubiquiti Networks EdgeSwitch version 1.7.3 and prior suffer from an externally controlled format-string vulnerability due to lack of protection on the admin CLI, leading to code execution and privilege escalation greater than administrators themselves are allowed. An attacker with access to an admin account could escape the restricted CLI and execute arbitrary code.
Categories: NVD