National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database



The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
 
Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2018-1820 IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure with... read CVE-2018-1820
    Published: September 27, 2018; 03:29:00 PM -04:00

  • CVE-2018-1716 IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure... read CVE-2018-1716
    Published: September 27, 2018; 03:29:00 PM -04:00

  • CVE-2017-17691 Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses cleartext to exchange the username and password between server and client instances, which allows remote attackers to obtain sensitive information via a man in the middle attack.
    Published: September 07, 2018; 06:29:00 PM -04:00

  • CVE-2018-15552 The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by th... read CVE-2018-15552
    Published: September 07, 2018; 06:29:01 PM -04:00

  • CVE-2018-14398 An issue was discovered in Creme CRM 1.6.12. The value of the cancel button uses the content of the HTTP Referer header, and could be used to trick a user into visiting a fake login page in order to steal credentials.
    Published: September 07, 2018; 06:29:00 PM -04:00

  • CVE-2018-1785 IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive information. IBM X-Force ID: 148870.
    Published: September 26, 2018; 11:29:01 AM -04:00

  • CVE-2018-1545 IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 142649.
    Published: September 26, 2018; 11:29:00 AM -04:00

  • CVE-2018-18734 A CSRF issue was discovered in admin/Index/addmanageuser.html in Catfish CMS 4.8.30.
    Published: October 29, 2018; 08:29:08 AM -04:00

  • CVE-2018-17410 Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI.
    Published: September 26, 2018; 05:29:02 PM -04:00

  • CVE-2018-15484 An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Remote Code Execution is possible through the open HTTP interface by modifying autoexec.bat, aka KONE-01.
    Published: September 07, 2018; 06:29:01 PM -04:00

  • CVE-2018-15486 An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02.
    Published: September 07, 2018; 06:29:01 PM -04:00

  • CVE-2018-15485 An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03.
    Published: September 07, 2018; 06:29:01 PM -04:00

  • CVE-2018-0648 Untrusted search path vulnerability in installer of ChatWork Desktop App for Windows 2.3.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
    Published: September 07, 2018; 10:29:01 AM -04:00

  • CVE-2018-5238 Norton Power Eraser (prior to 5.3.0.24) and SymDiag (prior to 2.1.242) may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a mali... read CVE-2018-5238
    Published: August 22, 2018; 01:29:00 PM -04:00

  • CVE-2018-16651 The admin backend in phpMyFAQ before 2.9.11 allows CSV injection in reports.
    Published: September 07, 2018; 01:29:00 AM -04:00

    V3: 7.2 HIGH
    V2: 9.0 HIGH

  • CVE-2018-16606 In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of... read CVE-2018-16606
    Published: September 06, 2018; 12:29:05 PM -04:00

  • CVE-2018-16398 In Twistlock AuthZ Broker 0.1, regular expressions are mishandled, as demonstrated by containers/aa/pause?aaa=\/start to bypass a policy in which "docker start" is allowed but "docker pause" is not allowed.
    Published: September 03, 2018; 03:29:00 PM -04:00

  • CVE-2018-16604 An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., "${phpinfo()}").
    Published: September 06, 2018; 12:29:05 PM -04:00

  • CVE-2018-1000773 WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail u... read CVE-2018-1000773
    Published: September 06, 2018; 12:29:05 PM -04:00

  • CVE-2018-16703 A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The... read CVE-2018-16703
    Published: September 07, 2018; 01:29:01 PM -04:00