U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
There are 229,178 matching records.
Displaying matches 133,621 through 133,640.
Vuln ID Summary CVSS Severity
CVE-2018-6014

Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data.

Published: January 22, 2018; 7:29:00 PM -0500
V3.0: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-6013

Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php.

Published: January 22, 2018; 7:29:00 PM -0500
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2018-0862

Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Word Remote Code Execution Vulnerability". This CVE is unique from CVE-2018-0805, CVE-2018-0806, and CVE-2018-0807.

Published: January 22, 2018; 6:29:00 PM -0500
V3.0: 8.8 HIGH
V2.0: 9.3 HIGH
CVE-2018-0849

Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Word Remote Code Execution Vulnerability". This CVE is unique from CVE-2018-0805, CVE-2018-0806, and CVE-2018-0807.

Published: January 22, 2018; 6:29:00 PM -0500
V3.0: 8.8 HIGH
V2.0: 9.3 HIGH
CVE-2018-0848

Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Word Remote Code Execution Vulnerability". This CVE is unique from CVE-2018-0805, CVE-2018-0806, and CVE-2018-0807.

Published: January 22, 2018; 6:29:00 PM -0500
V3.0: 8.8 HIGH
V2.0: 9.3 HIGH
CVE-2018-0845

Equation Editor in Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Word Remote Code Execution Vulnerability". This CVE is unique from CVE-2018-0805, CVE-2018-0806, and CVE-2018-0807.

Published: January 22, 2018; 6:29:00 PM -0500
V3.0: 7.8 HIGH
V2.0: 9.3 HIGH
CVE-2017-1000417

MatrixSSL version 3.7.2 adopts a collision-prone OID comparison logic resulting in possible spoofing of OIDs (e.g. in ExtKeyUsage extension) on X.509 certificates.

Published: January 22, 2018; 6:29:00 PM -0500
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2017-1000416

axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting in the year (19)50 of UTCTime being misinterpreted as 2050.

Published: January 22, 2018; 6:29:00 PM -0500
V3.0: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2018-6010

In Yii Framework 2.x before 2.0.14, remote attackers could obtain potentially sensitive information from exception messages, or exploit reflected XSS on the error handler page in non-debug mode. Related to base/ErrorHandler.php, log/Dispatcher.php, and views/errorHandler/exception.php.

Published: January 22, 2018; 5:29:00 PM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-6009

In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.

Published: January 22, 2018; 5:29:00 PM -0500
V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-6003

An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.

Published: January 22, 2018; 3:29:00 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2018-6002

The Soundy Background Music plugin 3.9 and below for WordPress has Cross-Site Scripting via soundy-background-music\templates\front-end.php (war_soundy_preview parameter).

Published: January 22, 2018; 3:29:00 PM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-6001

The Soundy Audio Playlist plugin 4.6 and below for WordPress has Cross-Site Scripting via soundy-audio-playlist\templates\front-end.php (war_sdy_pl_preview parameter).

Published: January 22, 2018; 3:29:00 PM -0500
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-6000

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. The do_vpnupload_post function in router/httpd/web.c in vpnupload.cgi provides functionality for setting NVRAM configuration values, which allows attackers to set the admin password and launch an SSH daemon (or enable infosvr command mode), and consequently obtain remote administrative access, via a crafted request. This is available to unauthenticated attackers in conjunction with CVE-2018-5999.

Published: January 22, 2018; 3:29:00 PM -0500
V3.0: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2018-5999

An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In the handle_request function in router/httpd/httpd.c, processing of POST requests continues even if authentication fails.

Published: January 22, 2018; 3:29:00 PM -0500
V3.0: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2018-1000003

Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.

Published: January 22, 2018; 1:29:00 PM -0500
V3.0: 3.7 LOW
V2.0: 4.3 MEDIUM
CVE-2018-1000002

Improper input validation bugs in DNSSEC validators components in Knot Resolver (prior version 1.5.2) allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.

Published: January 22, 2018; 1:29:00 PM -0500
V3.1: 3.7 LOW
V2.0: 4.3 MEDIUM
CVE-2018-5761

A man-in-the-middle vulnerability related to vCenter access was found in Rubrik CDM 3.x and 4.x before 4.0.4-p2. This vulnerability might expose Rubrik user credentials configured to access vCenter as Rubrik clusters did not verify TLS certificates presented by vCenter.

Published: January 22, 2018; 12:29:00 PM -0500
V3.0: 8.1 HIGH
V2.0: 4.3 MEDIUM
CVE-2017-17858

Heap-based buffer overflow in the ensure_solid_xref function in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 allows a remote attacker to potentially execute arbitrary code via a crafted PDF file, because xref subsection object numbers are unrestricted.

Published: January 22, 2018; 10:29:00 AM -0500
V3.0: 7.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-1045

In Moodle 3.x, there is XSS via a calendar event name.

Published: January 22, 2018; 3:29:00 AM -0500
V3.0: 5.4 MEDIUM
V2.0: 3.5 LOW