Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-04-24 CVE-2017-7944 Cross-site Scripting vulnerability in Xoops 2.5.8.1
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.
network
low complexity
xoops CWE-79
6.1
2017-04-24 CVE-2017-8082 Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS 8.1.0
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI.
network
low complexity
concretecms CWE-352
6.5
2017-04-24 CVE-2015-0107 Path Traversal vulnerability in IBM products
IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to conduct directory traversal attacks via unspecified vectors.
network
low complexity
ibm CWE-22
6.5
2017-04-24 CVE-2010-5329 Resource Management Errors vulnerability in Linux Kernel
The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value.
local
low complexity
linux CWE-399
5.5
2017-04-24 CVE-2010-5321 Missing Release of Resource after Effective Lifetime vulnerability in Linux Kernel
Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761.
low complexity
linux CWE-772
4.3
2017-04-23 CVE-2017-8078 Improper Authentication vulnerability in Tp-Link Tl-Sg108E Firmware 1.1.2
On the TP-Link TL-SG108E 1.0, the upgrade process can be requested remotely without authentication (httpupg.cgi with a parameter called cmd).
network
low complexity
tp-link CWE-287
5.3
2017-04-23 CVE-2016-2564 Insufficient Entropy vulnerability in Invisioncommunity Invision Power Board
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag.
network
high complexity
invisioncommunity CWE-331
5.9
2017-04-23 CVE-2017-8071 Improper Resource Shutdown or Release vulnerability in Linux Kernel
drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.
local
low complexity
linux CWE-404
5.5
2017-04-22 CVE-2017-8056 XXE vulnerability in Watchguard Fireware 11.0.2/11.1/11.2.1
WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent.
network
low complexity
watchguard CWE-611
5.3
2017-04-22 CVE-2017-8055 Information Exposure Through Discrepancy vulnerability in Watchguard Fireware 11.0.2/11.1/11.2.1
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler.
network
low complexity
watchguard CWE-203
5.3