Latest 7 days CVE Lists

Latest 7 days CVE Lists 피드 구독하기
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
업데이트: 2시간 25분 지남

CVE-2018-18472

목, 2019/06/20 - 1:15오전
Western Digital WD My Book Live (all versions) has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device.

CVE-2018-18757

목, 2019/06/20 - 1:15오전
Open Faculty Evaluation System 5.6 for PHP 5.6 allows submit_feedback.php SQL Injection, a different vulnerability than CVE-2018-18758.

CVE-2018-18758

목, 2019/06/20 - 1:15오전
Open Faculty Evaluation System 7 for PHP 7 allows submit_feedback.php SQL Injection, a different vulnerability than CVE-2018-18757.

CVE-2018-18863 (resourcelink)

목, 2019/06/20 - 1:15오전
NGA ResourceLink 20.0.2.1 allows local file inclusion.

CVE-2018-19878

목, 2019/06/20 - 1:15오전
An issue was discovered on Teltonika RTU950 R_31.04.89 devices. The application allows a user to login without limitation. For every successful login request, the application saves a session. A user can re-login without logging out, causing the application to store the session in memory. Exploitation of this vulnerability will increase memory use and consume free space.

CVE-2019-6971

목, 2019/06/20 - 12:15오전
An issue was discovered on TP-Link TL-WR1043ND V2 devices. An attacker can send a cookie in an HTTP authentication packet to the router management web interface, and fully control the router without knowledge of the credentials.

CVE-2019-6972

목, 2019/06/20 - 12:15오전
An issue was discovered on TP-Link TL-WR1043ND V2 devices. The credentials can be easily decoded and cracked by brute-force, WordList, or Rainbow Table attacks. Specifically, credentials in the "Authorization" cookie are encoded with URL encoding and base64, leading to easy decoding. Also, the username is cleartext, and the password is hashed with the MD5 algorithm (after decoding of the URL encoded string with base64).

CVE-2019-4364 (control_desk, maximo_asset_management, maximo_for_aviation, maximo_for_life_sciences, maximo_for_nuclear_power, maximo_for_oil_and_gas, maximo_for_transportation, maximo_for_utilities, smartcloud_control_desk, tivoli_integration_composer)

수, 2019/06/19 - 11:15오후
IBM Maximo Asset Management 7.6 is vulnerable to CSV injection, which could allow a remote authenticated attacker to execute arbirary commands on the system. IBM X-Force ID: 161680.

CVE-2019-4384

수, 2019/06/19 - 11:15오후
IBM Campaign 9.1.2 and 10.1 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162172.

CVE-2019-4385 (spectrum_protect_plus)

수, 2019/06/19 - 11:15오후
IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password in the IBM Spectrum Protect Plus Joblog. This can result in an attacker gaining access to sensitive information as well as vSnap. IBM X-Force ID: 162173.

CVE-2017-1107

수, 2019/06/19 - 11:15오후
IBM Marketing Platform 9.1.0, 9.1.2, 10.0, and 10.1 exposes sensitive information in the headers that could be used by an authenticated attacker in further attacks against the system. IBM X-Force ID: 120906.

CVE-2019-10257

수, 2019/06/19 - 11:15오후
Zucchetti HR Portal through 2019-03-15 allows Directory Traversal. Unauthenticated users can escape outside of the restricted location (dot-dot-slash notation) to access files or directories that are elsewhere on the system. Through this vulnerability it is possible to read the application's java sources from /WEB-INF/classes/*.class

CVE-2019-12814

수, 2019/06/19 - 11:15오후
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

CVE-2019-4303 (control_desk, maximo_asset_management, maximo_for_aviation, maximo_for_life_sciences, maximo_for_nuclear_power, maximo_for_oil_and_gas, maximo_for_transportation, maximo_for_utilities, smartcloud_control_desk, tivoli_integration_composer)

수, 2019/06/19 - 11:15오후
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160949.

CVE-2019-12435

수, 2019/06/19 - 9:15오후
Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer dereference, leading to Denial of Service. This is related to the AD DC DNS management server (dnsserver) RPC server process.

CVE-2019-12436

수, 2019/06/19 - 9:15오후
Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have directory read access in order to attempt an exploit.

CVE-2019-3896

수, 2019/06/19 - 9:15오전
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).

CVE-2019-3954

수, 2019/06/19 - 9:15오전
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.

CVE-2019-10085

수, 2019/06/19 - 9:15오전
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.

CVE-2019-11038

수, 2019/06/19 - 9:15오전
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

페이지