Vulnerabilities > High

DATE CVE VULNERABILITY TITLE RISK
2017-11-15 CVE-2017-15923 Konversation 1.4.x, 1.5.x, 1.6.x, and 1.7.x before 1.7.3 allow remote attackers to cause a denial of service (crash) via vectors related to parsing of IRC color formatting codes.
network
low complexity
konversation debian
7.5
2017-11-15 CVE-2017-15806 Code Injection vulnerability in Zetacomponents Mail
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."
network
high complexity
zetacomponents CWE-94
8.1
2017-11-15 CVE-2017-15288 Incorrect Permission Assignment for Critical Resource vulnerability in Scala-Lang Scala
The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, and 2.12.x before 2.12.4 uses weak permissions for private files in /tmp/scala-devel/${USER:shared}/scalac-compile-server-port, which allows local users to write to arbitrary class files and consequently gain privileges.
local
low complexity
scala-lang CWE-732
7.8
2017-11-15 CVE-2017-14961 Improper Input Validation vulnerability in Ikarussecurity Anti.Virus 2.16.7
In IKARUS anti.virus 2.16.7, the ntguard.sys driver contains an Arbitrary Write vulnerability because of not validating input values from IOCtl 0x8300000c.
local
low complexity
ikarussecurity CWE-20
7.8
2017-11-15 CVE-2014-4000 Code Injection vulnerability in Cacti
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
network
low complexity
cacti CWE-94
8.8
2017-11-15 CVE-2017-8815 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attribute injection attacks via glossary rules.
network
low complexity
mediawiki debian CWE-20
7.5
2017-11-15 CVE-2017-8814 Improper Input Validation vulnerability in multiple products
The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 allows attackers to replace text inside tags via a rule definition followed by "a lot of junk."
network
low complexity
mediawiki debian CWE-20
7.5
2017-11-15 CVE-2017-8810 Information Exposure vulnerability in multiple products
MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2, when a private wiki is configured, provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests.
network
low complexity
mediawiki debian CWE-200
7.5
2017-11-15 CVE-2017-7851 Cross-Site Request Forgery (CSRF) vulnerability in D-Link Dcs-936L
D-Link DCS-936L devices with firmware before 1.05.07 have an inadequate CSRF protection mechanism that requires the device's IP address to be a substring of the HTTP Referer header.
network
low complexity
d-link CWE-352
8.8
2017-11-15 CVE-2017-16832 Integer Overflow or Wraparound vulnerability in GNU Binutils 2.29.1
The pe_bfd_read_buildid function in peicode.h in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29.1, does not validate size and offset values in the data dictionary, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted PE file.
local
low complexity
gnu CWE-190
7.8