Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-09-06 | CVE-2015-7225 | 7PK - Security Features vulnerability in Tinfoilsecurity Devise-Two-Factor Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step. | 5.3 |
| 2017-09-06 | CVE-2015-6250 | Information Exposure vulnerability in Simple-PHP-Captcha Project Simple-PHP-Captcha 1.0.0/1.0.1/20150831 simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be694 allows remote attackers to automatically generate the captcha response by running the same code on the client-side. | 5.3 |
| 2017-09-06 | CVE-2015-5186 | Improper Input Validation vulnerability in Linux Audit Project Linux Audit Audit before 2.4.4 in Linux does not sanitize escape characters in filenames. | 5.3 |
| 2017-09-06 | CVE-2015-3163 | Improper Access Control vulnerability in Redhat Beaker The admin pages for power types and key types in Beaker before 20.1 do not have any access controls, which allows remote authenticated users to modify power types and key types via navigating to $BEAKER/powertypes and $BEAKER/keytypes respectively. | 4.3 |
| 2017-09-06 | CVE-2015-3162 | Cross-site Scripting vulnerability in Beaker-Project Beaker 20.1 Cross-site scripting (XSS) vulnerability in the edit comment dialog in bkr/server/widgets.py in Beaker 20.1 allows remote authenticated users to inject arbitrary web script or HTML via writing a crafted comment on an acked or nacked canceled job. | 5.4 |
| 2017-09-06 | CVE-2015-3161 | Cross-site Scripting vulnerability in Beaker-Project Beaker The search bar code in bkr/server/widgets.py in Beaker before 20.1 does not escape </script> tags in string literals when producing JSON. | 4.8 |
| 2017-09-06 | CVE-2015-3160 | XXE vulnerability in Beaker-Project Beaker XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system. | 4.3 |
| 2017-09-06 | CVE-2015-2943 | Improper Certificate Validation vulnerability in Honda Moto Linc 1.6.1 Honda Moto LINC 1.6.1 does not verify SSL certificates. | 5.9 |
| 2017-09-06 | CVE-2017-14166 | Out-of-bounds Read vulnerability in multiple products libarchive 3.3.2 allows remote attackers to cause a denial of service (xml_data heap-based buffer over-read and application crash) via a crafted xar archive, related to the mishandling of empty strings in the atol8 function in archive_read_support_format_xar.c. | 6.5 |
| 2017-09-06 | CVE-2017-14165 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Graphicsmagick 1.3.26 The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has an issue where memory allocation is excessive because it depends only on a length field in a header. | 6.5 |