Latest 7 days CVE Lists

Latest 7 days CVE Lists 피드 구독하기
This feed contains the most recent CVE cyber vulnerabilities published within the National Vulnerability Database.
업데이트: 8분 50초 지남

CVE-2019-11029

금, 2019/08/23 - 12:15오전
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. An attacker could use ..\ with this method to iterate over lists of interesting system files and download them without previous authentication. This includes SAM-database backups, Web.config files, etc. and might cause a serious impact on confidentiality.

CVE-2019-11030

금, 2019/08/23 - 12:15오전
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserialization within the .NET garbage collector, in which a gadget (contained in a serialized object) may be executed with SYSTEM privileges. The attacker must properly encrypt the object; however, the hardcoded keys are available.

CVE-2019-11031

금, 2019/08/23 - 12:15오전
Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute these files with SYSTEM privileges.

CVE-2018-18572

금, 2019/08/23 - 12:15오전
osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn't execute in the application. But this filter didn't prevent the '.pht' extension. Thus, remote authenticated administrators can upload '.pht' files for arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI.

CVE-2019-15319

목, 2019/08/22 - 11:15오후
The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce.

CVE-2019-15320

목, 2019/08/22 - 11:15오후
The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled.

CVE-2019-15321

목, 2019/08/22 - 11:15오후
The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled.

CVE-2019-15322

목, 2019/08/22 - 11:15오후
The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion.

CVE-2019-15323

목, 2019/08/22 - 11:15오후
The ad-inserter plugin before 2.4.20 for WordPress has path traversal.

CVE-2019-15324

목, 2019/08/22 - 11:15오후
The ad-inserter plugin before 2.4.22 for WordPress has remote code execution.

CVE-2019-5632

목, 2019/08/22 - 11:15오후
An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.

CVE-2019-5633

목, 2019/08/22 - 11:15오후
An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions.

CVE-2019-5634

목, 2019/08/22 - 11:15오후
An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and direct connections to the lock via Bluetooth Low Energy (BLE) from the mobile application are logged in a debug log on the Android device at HickorySmartLog/Logs/SRDeviceLog.txt. This information was found stored in the Android device's default USB or SDcard storage paths and is accessible without rooting the device. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.

CVE-2019-5635

목, 2019/08/22 - 11:15오후
A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge device communicates over the network to an MQTT broker without using encryption. This exposed the default username and password used to authenticate to the MQTT broker. This issue affects Hickory Smart Ethernet Bridge, model number H077646. The firmware does not appear to contain versioning information.

CVE-2017-18577

목, 2019/08/22 - 11:15오후
The mailchimp-for-wp plugin before 4.1.8 for WordPress has XSS via the return value of add_query_arg.

CVE-2017-18580

목, 2019/08/22 - 11:15오후
The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode.

CVE-2017-18581

목, 2019/08/22 - 11:15오후
The time-sheets plugin before 1.5.0 for WordPress has XSS via the old timesheet list.

CVE-2017-18582

목, 2019/08/22 - 11:15오후
The time-sheets plugin before 1.5.2 for WordPress has multiple XSS issues.

CVE-2017-18583

목, 2019/08/22 - 11:15오후
The post-pay-counter plugin before 2.731 for WordPress has PHP Object Injection.

CVE-2017-18584

목, 2019/08/22 - 11:15오후
The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action.

페이지