Vulnerabilities > High

DATE CVE VULNERABILITY TITLE RISK
2017-04-11 CVE-2017-7694 Code Injection vulnerability in Getsymphony Symphony
Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end.
network
low complexity
getsymphony CWE-94
8.8
2017-04-11 CVE-2015-8666 Out-of-bounds Write vulnerability in multiple products
Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator.
local
low complexity
qemu debian CWE-787
7.9
2017-04-11 CVE-2015-7893 Improper Input Validation vulnerability in Samsung Galaxy S6
SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, allows remote attackers to execute arbitrary JavaScript.
network
low complexity
samsung CWE-20
8.8
2017-04-11 CVE-2017-6088 SQL Injection vulnerability in Eyesofnetwork 4.23/4.30/5.0
Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) bp_name, (2) display, (3) search, or (4) equipment parameter to module/monitoring_ged/ged_functions.php or the (5) type parameter to monitoring_ged/ajax.php.
network
low complexity
eyesofnetwork CWE-89
7.2
2017-04-11 CVE-2016-4989 Command Injection vulnerability in multiple products
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.
local
high complexity
setroubleshoot-project redhat CWE-77
7.0
2017-04-11 CVE-2016-4446 Command Injection vulnerability in multiple products
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
local
high complexity
setroubleshoot-project redhat CWE-77
7.0
2017-04-11 CVE-2016-4445 Command Injection vulnerability in multiple products
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function.
local
high complexity
setroubleshoot-project redhat CWE-77
7.0
2017-04-11 CVE-2016-4444 Command Injection vulnerability in multiple products
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
local
high complexity
setroubleshoot-project redhat CWE-77
7.0
2017-04-11 CVE-2016-4483 Deserialization of Untrusted Data vulnerability in multiple products
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization.
network
low complexity
xmlsoft debian oracle CWE-502
7.5
2017-04-11 CVE-2016-4468 SQL Injection vulnerability in multiple products
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
pivotal-software cloudfoundry CWE-89
8.8