Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-09-17 CVE-2017-14501 Out-of-bounds Read vulnerability in Libarchive 3.3.2
An out-of-bounds read flaw exists in parse_file_info in archive_read_support_format_iso9660.c in libarchive 3.3.2 when extracting a specially crafted iso9660 iso file, related to archive_read_format_iso9660_read_header.
network
low complexity
libarchive CWE-125
6.5
2017-09-15 CVE-2015-0110 Improper Access Control vulnerability in IBM products
IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL.
network
low complexity
ibm CWE-284
6.5
2017-09-15 CVE-2017-14498 Cross-site Scripting vulnerability in Silverstripe
SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname, as demonstrated by the admin/pages/edit/EditorToolbar/MediaForm/field/AssetUploadField/upload URI, aka issue SS-2017-017.
network
low complexity
silverstripe CWE-79
6.1
2017-09-15 CVE-2017-10814 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Corega WLR 300 NM Firmware 1.90
Buffer overflow in CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary code via unspecified vectors.
low complexity
corega CWE-119
6.8
2017-09-15 CVE-2017-10813 OS Command Injection vulnerability in Corega WLR 300 NM Firmware 1.90
CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
low complexity
corega CWE-78
6.8
2017-09-15 CVE-2017-4926 Cross-site Scripting vulnerability in VMWare Vcenter Server 6.5
VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS).
network
low complexity
vmware CWE-79
5.4
2017-09-15 CVE-2017-4925 NULL Pointer Dereference vulnerability in VMWare products
VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without patch ESXi600-201706101-SG, ESXi 5.5 without patch ESXi550-201709101-SG, Workstation (12.x before 12.5.3), Fusion (8.x before 8.5.4) contain a NULL pointer dereference vulnerability.
local
low complexity
vmware CWE-476
5.5
2017-09-15 CVE-2017-14340 NULL Pointer Dereference vulnerability in Linux Kernel
The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory.
local
low complexity
linux CWE-476
5.5
2017-09-15 CVE-2017-14489 Improper Input Validation vulnerability in Linux Kernel
The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the Linux kernel through 4.13.2 allows local users to cause a denial of service (panic) by leveraging incorrect length validation.
local
low complexity
linux CWE-20
5.5
2017-09-15 CVE-2017-14483 Race Condition vulnerability in Gentoo Dev-Python-Flower
flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command.
local
low complexity
gentoo CWE-362
5.5