Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2017-01-18 CVE-2016-7999 Server-Side Request Forgery (SSRF) vulnerability in Spip
ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to conduct server side request forgery (SSRF) attacks via a URL in the var_url parameter in a valider_xml action.
network
low complexity
spip CWE-918
7.4
2017-01-18 CVE-2016-7998 Improper Input Validation vulnerability in Spip
The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.
network
low complexity
spip CWE-20
8.8
2017-01-18 CVE-2016-7997 NULL Pointer Dereference vulnerability in Graphicsmagick
The WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (assertion failure and crash) via vectors related to a ReferenceBlob and a NULL pointer.
network
low complexity
graphicsmagick CWE-476
7.5
2017-01-18 CVE-2016-7996 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Graphicsmagick
Heap-based buffer overflow in the WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to have unspecified impact via a colormap with a large number of entries.
network
low complexity
graphicsmagick CWE-119
critical
9.8
2017-01-18 CVE-2016-7982 Path Traversal vulnerability in Spip
Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.
network
low complexity
spip CWE-22
7.5
2017-01-18 CVE-2016-7981 Cross-site Scripting vulnerability in Spip
Cross-site scripting (XSS) vulnerability in valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the var_url parameter in a valider_xml action.
network
low complexity
spip CWE-79
6.1
2017-01-18 CVE-2016-7980 Cross-Site Request Forgery (CSRF) vulnerability in Spip
Cross-site request forgery (CSRF) vulnerability in ecrire/exec/valider_xml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that execute the XML validator on a local file via a crafted valider_xml request.
network
low complexity
spip CWE-352
8.8
2017-01-18 CVE-2016-7906 Use After Free vulnerability in multiple products
magick/attribute.c in ImageMagick 7.0.3-2 allows remote attackers to cause a denial of service (use-after-free) via a crafted file.
local
low complexity
imagemagick debian CWE-416
5.5
2017-01-18 CVE-2016-7799 Out-of-bounds Read vulnerability in multiple products
MagickCore/profile.c in ImageMagick before 7.0.3-2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file.
network
low complexity
imagemagick debian CWE-125
6.5
2017-01-18 CVE-2016-7564 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Artifex Mujs
Heap-based buffer overflow in the Fp_toString function in jsfunction.c in Artifex Software MuJS allows attackers to cause a denial of service (crash) via crafted input.
network
low complexity
artifex CWE-119
7.5