NVD Vulnerabilities

Subscribe to NVD Vulnerabilities feed
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
Updated: 2 hours 16 min ago

CVE-2018-8340

Wed, 08/15/2018 - 13:29
A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests, aka "AD FS Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows Server 2012 R2, Windows 10 Servers.
Categories: NVD

CVE-2018-15154

Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/billing/sl_eob_search.php after modifying the "print_command" global variable in interface/super/edit_globals.php.
Categories: NVD

CVE-2018-15155

Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/fax_dispatch.php after modifying the "hylafax_enscript" global variable in interface/super/edit_globals.php.
Categories: NVD

CVE-2018-15156

Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/fax/faxq.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
Categories: NVD

CVE-2018-15172

Wed, 08/15/2018 - 13:29
TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header.
Categories: NVD

CVE-2018-8200

Wed, 08/15/2018 - 13:29
A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8204.
Categories: NVD

CVE-2018-8204

Wed, 08/15/2018 - 13:29
A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8200.
Categories: NVD

CVE-2018-15147

Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'id' parameter.
Categories: NVD

CVE-2018-15148

Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'text' parameter.
Categories: NVD

CVE-2018-15149

Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'encounter' parameter.
Categories: NVD

CVE-2018-15150

Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'temporary_files_dir' variable in interface/super/edit_globals.php.
Categories: NVD

CVE-2018-15151

Wed, 08/15/2018 - 13:29
SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary SQL commands via the 'search_term' parameter.
Categories: NVD

CVE-2018-15152

Wed, 08/15/2018 - 13:29
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access (1) portal/add_edit_event_user.php, (2) portal/find_appt_popup_user.php, (3) portal/get_allergies.php, (4) portal/get_amendments.php, (5) portal/get_lab_results.php, (6) portal/get_medications.php, (7) portal/get_patient_documents.php, (8) portal/get_problems.php, (9) portal/get_profile.php, (10) portal/portal_payment.php, (11) portal/messaging/messages.php, (12) portal/messaging/secure_chat.php, (13) portal/report/pat_ledger.php, (14) portal/report/portal_custom_report.php, or (15) portal/report/portal_patient_report.php without authenticating as a patient.
Categories: NVD

CVE-2018-15153

Wed, 08/15/2018 - 13:29
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands by making a crafted request to interface/main/daemon_frame.php after modifying the "hylafax_server" global variable in interface/super/edit_globals.php.
Categories: NVD

CVE-2018-0952

Wed, 08/15/2018 - 13:29
An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations, aka "Diagnostic Hub Standard Collector Elevation Of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Microsoft Visual Studio, Windows 10 Servers.
Categories: NVD

CVE-2018-10369

Wed, 08/15/2018 - 13:29
A Cross-site scripting (XSS) vulnerability was discovered on Intelbras Win 240 V1.1.0 devices. An attacker can change the Admin Password without a Login.
Categories: NVD

CVE-2018-10917

Wed, 08/15/2018 - 13:29
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
Categories: NVD

CVE-2018-11687

Wed, 08/15/2018 - 13:29
An integer overflow in the distributeBTR function of a smart contract implementation for Bitcoin Red (BTCR), an Ethereum ERC20 token, allows the owner to accomplish an unauthorized increase of digital assets by providing a large address[] array, as exploited in the wild in May 2018, aka the "ownerUnderflow" issue.
Categories: NVD

CVE-2018-12056

Wed, 08/15/2018 - 13:29
The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call. Therefore, it allows attackers to always win and get rewards.
Categories: NVD

CVE-2018-15138

Wed, 08/15/2018 - 13:29
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
Categories: NVD