National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database



The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
 
Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2018-0622 The DHC Online Shop App for Android version 3.2.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
    Published: July 26, 2018; 01:29:00 PM -04:00

  • CVE-2018-0394 A vulnerability in the web upload function of Cisco Cloud Services Platform 2100 could allow an authenticated, remote attacker to obtain restricted shell access on an affected system. The vulnerability is due to insufficient input validation of param... read CVE-2018-0394
    Published: July 18, 2018; 07:29:01 PM -04:00

  • CVE-2017-7562 An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary prin... read CVE-2017-7562
    Published: July 26, 2018; 11:29:00 AM -04:00

  • CVE-2018-10878 A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image.
    Published: July 26, 2018; 02:29:00 PM -04:00

  • CVE-2018-10879 A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image.
    Published: July 26, 2018; 02:29:00 PM -04:00

  • CVE-2018-10881 A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
    Published: July 26, 2018; 02:29:00 PM -04:00

  • CVE-2017-2664 CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8.1 lacks RBAC controls on certain methods in the rails application portion of CloudForms. An attacker with access could use a variety of methods within the rails application portion... read CVE-2017-2664
    Published: July 26, 2018; 10:29:00 AM -04:00

  • CVE-2018-10620 AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions... read CVE-2018-10620
    Published: July 19, 2018; 03:29:00 PM -04:00

  • CVE-2017-2652 It was found that there were no permission checks performed in the Distributed Fork plugin before and including 1.5.0 for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that pe... read CVE-2017-2652
    Published: July 27, 2018; 04:29:00 PM -04:00

    V3: 8.8 HIGH
    V2: 9.0 HIGH

  • CVE-2017-2648 It was found that jenkins-ssh-slaves-plugin before version 1.15 did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
    Published: July 27, 2018; 04:29:00 PM -04:00

  • CVE-2017-12164 A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen.
    Published: July 26, 2018; 12:29:00 PM -04:00

  • CVE-2017-7509 An input validation error was found in Red Hat Certificate System's handling of client provided certificates before 8.1.20-1. If the certreq field is not present in a certificate an assertion error is triggered causing a denial of service.
    Published: July 26, 2018; 12:29:00 PM -04:00

  • CVE-2017-12171 A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a res... read CVE-2017-12171
    Published: July 26, 2018; 01:29:00 PM -04:00

  • CVE-2017-2649 It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
    Published: July 27, 2018; 04:29:00 PM -04:00

  • CVE-2018-14596 wancms 1.0 through 5.0 allows remote attackers to cause a denial of service (resource consumption) via a checkcode (aka verification code) URI in which the values of font_size, width, and height are large numbers.
    Published: July 25, 2018; 12:29:00 AM -04:00

  • CVE-2017-7545 It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and,... read CVE-2017-7545
    Published: July 26, 2018; 11:29:00 AM -04:00

  • CVE-2018-13385 There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code e... read CVE-2018-13385
    Published: July 24, 2018; 09:29:00 AM -04:00

  • CVE-2018-14493 Cross-site scripting (XSS) vulnerability in the Groups Page in Open-Audit Community 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the group name.
    Published: July 25, 2018; 07:29:00 PM -04:00

  • CVE-2018-1567 IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.
    Published: September 07, 2018; 11:29:00 AM -04:00

  • CVE-2018-1756 IBM Security Identity Governance and Intelligence 5.2.3.2 and 5.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, information in the back-end database. IBM X-For... read CVE-2018-1756
    Published: September 07, 2018; 11:29:00 AM -04:00