Weekly Vulnerabilities Reports > August 29 to September 4, 2016

Overview

63 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 7 high severity vulnerabilities. This weekly summary report vulnerabilities in 53 products from 27 vendors including IBM, Cisco, Nuuo, Netgear, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Information Exposure", "Improper Input Validation", "Cross-Site Request Forgery (CSRF)", and "Out-of-bounds Write".

  • 53 reported vulnerabilities are remotely exploitables.
  • 11 reported vulnerabilities have public exploit available.
  • 22 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 48 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 14 reported vulnerabilities.
  • Nuuo has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-09-03 CVE-2015-5719 Misp Project Insecure Temporary File Creation vulnerability in Malware Information Sharing Platform

app/Controller/TemplatesController.php in Malware Information Sharing Platform (MISP) before 2.3.92 does not properly restrict filenames under the tmp/files/ directory, which has unspecified impact and attack vectors.

10.0
2016-09-02 CVE-2016-5636 Python Integer Overflow OR Wraparound vulnerability in Python

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow.

10.0
2016-09-02 CVE-2016-1473 Cisco Information Exposure vulnerability in Cisco Small Business 220 Series Smart Plus Switches 1.0.0.17/1.0.0.18/1.0.0.19

Cisco Small Business 220 devices with firmware before 1.0.1.1 have a hardcoded SNMP community, which allows remote attackers to read or modify SNMP objects by leveraging knowledge of this community, aka Bug ID CSCuz76216.

10.0
2016-08-31 CVE-2016-5678 Nuuo USE of Hard-Coded Credentials vulnerability in Nuuo Nvrmini 2 and Nvrsolo

NUUO NVRmini 2 1.0.0 through 3.0.0 and NUUO NVRsolo 1.0.0 through 3.0.0 have hardcoded root credentials, which allows remote attackers to obtain administrative access via unspecified vectors.

10.0
2016-08-31 CVE-2016-5675 Netgear
Nuuo
Improper Input Validation vulnerability in multiple products

handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the NTPServer parameter.

10.0
2016-08-31 CVE-2016-5674 Netgear
Nuuo
Improper Input Validation vulnerability in multiple products

__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.

10.0
2016-09-03 CVE-2016-1464 Cisco Improper Input Validation vulnerability in Cisco Webex WRF Player T29 Sp10Base

Cisco WebEx Meetings Player T29.10, when WRF file support is enabled, allows remote attackers to execute arbitrary code via a crafted file, aka Bug ID CSCva09375.

9.3
2016-08-31 CVE-2016-5333 Vmware USE of Hard-Coded Credentials vulnerability in VMWare Photon OS 1.0

VMware Photos OS OVA 1.0 before 2016-08-14 has a default SSH public key in an authorized_keys file, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.

9.3
2016-08-31 CVE-2016-5680 Nuuo
Netgear
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in cgi-bin/cgi_main in NUUO NVRmini 2 1.7.6 through 3.0.0 and NETGEAR ReadyNAS Surveillance 1.1.2 allows remote authenticated users to execute arbitrary code via the sn parameter to the transfer_license command.

9.0
2016-08-31 CVE-2016-5679 Nuuo
Netgear
OS Command Injection vulnerability in multiple products

cgi-bin/cgi_main in NUUO NVRmini 2 1.7.6 through 3.0.0 and NETGEAR ReadyNAS Surveillance 1.1.2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the sn parameter to the transfer_license command.

9.0

7 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-09-03 CVE-2015-5721 Misp Project Code Injection vulnerability in Misp-Project Malware Information Sharing Platform

Malware Information Sharing Platform (MISP) before 2.3.90 allows remote attackers to conduct PHP object injection attacks via crafted serialized data, related to TemplatesController.php and populate_event_from_template_attributes.ctp.

7.5
2016-08-31 CVE-2016-5336 Vmware Remote Code Execution vulnerability in VMware vRealize Automation 7.0/7.0.1

VMware vRealize Automation 7.0.x before 7.1 allows remote attackers to execute arbitrary code via unspecified vectors.

7.5
2016-08-30 CVE-2016-6195 Vbulletin SQL Injection vulnerability in Vbulletin 4.2.2/4.2.3

SQL injection vulnerability in forumrunner/includes/moderation.php in vBulletin before 4.2.2 Patch Level 5 and 4.2.3 before Patch Level 1 allows remote attackers to execute arbitrary SQL commands via the postids parameter to forumrunner/request.php, as exploited in the wild in July 2016.

7.5
2016-08-30 CVE-2016-7115 MAC Telnet Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mac-Telnet Project Mac-Telnet

Buffer overflow in the handle_packet function in mactelnet.c in the client in MAC-Telnet 0.4.3 and earlier allows remote TELNET servers to execute arbitrary code via a long string in an MT_CPTYPE_PASSSALT control packet.

7.5
2016-08-30 CVE-2016-5344 Google
Linux
Integer Overflow OR Wraparound vulnerability in multiple products

Multiple integer overflows in the MDSS driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service or possibly have unspecified other impact via a large size value, related to mdss_compat_utils.c, mdss_fb.c, and mdss_rotator.c.

7.5
2016-08-31 CVE-2016-5335 Vmware Local Privilege Escalation vulnerability in VMWare Identity Manger and Vrealize Automation

VMware Identity Manager 2.x before 2.7 and vRealize Automation 7.0.x before 7.1 allow local users to obtain root access via unspecified vectors.

7.2
2016-08-30 CVE-2016-5342 Google
Linux
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.

7.2

30 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-09-03 CVE-2016-6377 Cisco Improper Authentication vulnerability in Cisco Media Origination System Suite

Media Origination System Suite Software 2.6 and earlier in Cisco Virtual Media Packager (VMP) allows remote attackers to bypass authentication and make arbitrary Platform and Applications Manager (PAM) API calls via unspecified vectors, aka Bug ID CSCuz52110.

6.8
2016-09-02 CVE-2016-7123 GNU Cross-Site Request Forgery (CSRF) vulnerability in GNU Mailman

Cross-site request forgery (CSRF) vulnerability in the admin web interface in GNU Mailman before 2.1.15 allows remote attackers to hijack the authentication of administrators.

6.8
2016-09-02 CVE-2016-6893 GNU Cross-Site Request Forgery (CSRF) vulnerability in GNU Mailman

Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim's account.

6.8
2016-09-02 CVE-2016-4853 Akabei Soft2 OS Command Injection vulnerability in Akabei Soft2 Happy Wardrobe

AKABEi SOFT2 games allow remote attackers to execute arbitrary OS commands via crafted saved data, as demonstrated by Happy Wardrobe.

6.8
2016-09-02 CVE-2016-1470 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Small Business 220 Series Smart Plus Switches 1.0.0.17/1.0.0.18/1.0.0.19

Cross-site request forgery (CSRF) vulnerability in the web-based management interface on Cisco Small Business 220 devices with firmware before 1.0.1.1 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuz76230.

6.8
2016-09-01 CVE-2016-4264 Adobe XXE vulnerability in Adobe Coldfusion 10.0/11.0

The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

6.4
2016-09-02 CVE-2016-6376 Cisco Resource Management Errors vulnerability in Cisco products

The Adaptive Wireless Intrusion Prevention System (wIPS) feature on Cisco Wireless LAN Controller (WLC) devices before 8.0.140.0, 8.1.x and 8.2.x before 8.2.121.0, and 8.3.x before 8.3.102.0 allows remote attackers to cause a denial of service (device restart) via a malformed wIPS packet, aka Bug ID CSCuz40263.

6.1
2016-09-02 CVE-2016-0772 Python Protection Mechanism Failure vulnerability in Python

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."

5.8
2016-09-03 CVE-2016-5430 Jose PHP Project Information Exposure vulnerability in Jose-PHP Project Jose-PHP

The RSA 1.5 algorithm implementation in the JOSE_JWE class in JWE.php in jose-php before 2.2.1 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

5.0
2016-09-02 CVE-2016-6483 Vbulletin Server-Side Request Forgery (SSRF) vulnerability in Vbulletin

The media-file upload feature in vBulletin before 3.8.7 Patch Level 6, 3.8.8 before Patch Level 2, 3.8.9 before Patch Level 1, 4.x before 4.2.2 Patch Level 6, 4.2.3 before Patch Level 2, 5.x before 5.2.0 Patch Level 3, 5.2.1 before Patch Level 1, and 5.2.2 before Patch Level 1 allows remote attackers to conduct SSRF attacks via a crafted URL that results in a Redirection HTTP status code.

5.0
2016-09-02 CVE-2016-1472 Cisco Improper Input Validation vulnerability in Cisco Small Business 220 Series Smart Plus Switches 1.0.0.17/1.0.0.18/1.0.0.19

The web-based management interface on Cisco Small Business 220 devices with firmware before 1.0.1.1 allows remote attackers to cause a denial of service (interface outage) via a crafted HTTP request, aka Bug ID CSCuz76238.

5.0
2016-09-01 CVE-2016-2183 Redhat
Python
Cisco
Openssl
Oracle
Information Exposure vulnerability in multiple products

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

5.0
2016-08-31 CVE-2016-5677 Netgear
Nuuo
Information Exposure vulnerability in multiple products

NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 have a hardcoded qwe23622260 password for the nuuoeng account, which allows remote attackers to obtain sensitive information via an __nvr_status___.php request.

5.0
2016-08-31 CVE-2016-5676 Netgear
Nuuo
Improper Authorization vulnerability in multiple products

cgi-bin/cgi_system in NUUO NVRmini 2 1.7.5 through 2.x, NUUO NVRsolo 1.7.5 through 2.x, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to reset the administrator password via a cmd=loaddefconfig action.

5.0
2016-08-31 CVE-2016-5332 Vmware Path Traversal vulnerability in VMWare Vrealize LOG Insight

Directory traversal vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.6.0 allows remote attackers to read arbitrary files via unspecified vectors.

5.0
2016-08-31 CVE-2016-7118 Debian Null Pointer Dereference vulnerability in Debian Linux 7.0

fs/fcntl.c in the "aufs 3.2.x+setfl-debian" patch in the linux-image package 3.2.0-4 (kernel 3.2.81-1) in Debian wheezy mishandles F_SETFL fcntl calls on directories, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via standard filesystem operations, as demonstrated by scp from an AUFS filesystem.

4.9
2016-09-02 CVE-2016-5879 IBM Improper Input Validation vulnerability in IBM MQ Appliance Firmware 8.0

MQCLI on IBM MQ Appliance M2000 and M2001 devices allows local users to execute arbitrary shell commands via a crafted (1) Disaster Recovery or (2) High Availability command.

4.6
2016-09-03 CVE-2016-5429 Jose PHP Project Information Exposure vulnerability in Jose-PHP Project Jose-PHP

jose-php before 2.2.1 does not use constant-time operations for HMAC comparison, which makes it easier for remote attackers to obtain sensitive information via a timing attack, related to JWE.php and JWS.php.

4.3
2016-09-03 CVE-2016-1415 Cisco Resource Management Errors vulnerability in Cisco Webex WRF Player T29 Sp10Base

Cisco WebEx Meetings Player T29.10, when WRF file support is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted file, aka Bug ID CSCuz80455.

4.3
2016-09-03 CVE-2015-5720 Misp Project Cross-Site Scripting vulnerability in Misp-Project Malware Information Sharing Platform

Multiple cross-site scripting (XSS) vulnerabilities in the template-creation feature in Malware Information Sharing Platform (MISP) before 2.3.90 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) add.ctp, (2) edit.ctp, and (3) ajaxification.js.

4.3
2016-09-02 CVE-2016-5699 Python Http Response Splitting vulnerability in Python

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

4.3
2016-09-02 CVE-2016-4851 LET S PHP Cross-Site Scripting vulnerability in Let'S PHP! Simple Chat

Cross-site scripting (XSS) vulnerability in Let's PHP! simple chat before 2016-08-15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2016-09-02 CVE-2016-4848 Clip Bucket Cross-Site Scripting vulnerability in Clip-Bucket Clipbucket

Cross-site scripting (XSS) vulnerability in ClipBucket before 2.8.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2016-09-02 CVE-2016-1471 Cisco Cross-Site Scripting vulnerability in Cisco Small Business 220 Series Smart Plus Switches 1.0.0.17/1.0.0.18/1.0.0.19

Cross-site scripting (XSS) vulnerability in the web-based management interface on Cisco Small Business 220 devices with firmware before 1.0.1.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuz76232.

4.3
2016-09-01 CVE-2016-6298 Jwcrypto Project Information Exposure vulnerability in Jwcrypto Project Jwcrypto 0.3.1

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA).

4.3
2016-09-01 CVE-2016-0293 IBM Cross-Site Scripting vulnerability in IBM Bigfix Platform

Cross-site scripting (XSS) vulnerability in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9.x before 9.1.8 and 9.2.x before 9.2.8 allows remote attackers to inject arbitrary web script or HTML via a modified .beswrpt file.

4.3
2016-08-30 CVE-2016-0397 IBM Information Exposure vulnerability in IBM Bigfix Webreports

WebReports in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9.x before 9.5.2 allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.

4.3
2016-08-29 CVE-2016-5721 Zimbra Cross-Site Scripting vulnerability in Zimbra Collaboration Server

Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2016-09-01 CVE-2016-5047 Netapp Denial of Service vulnerability in Netapp Oncommand System Manager 8.3/8.3.1/8.3.2

NetApp OnCommand System Manager 8.3.x before 8.3.2P5 allows remote authenticated users to cause a denial of service via unspecified vectors.

4.0
2016-09-01 CVE-2016-3064 Netapp Information Exposure vulnerability in Netapp Clustered Data Ontap

NetApp Clustered Data ONTAP before 8.2.4P4 and 8.3.x before 8.3.2P2 allows remote authenticated users to obtain sensitive cluster and tenant information via unspecified vectors.

4.0

16 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-09-01 CVE-2016-3010 IBM Cross-Site Scripting vulnerability in IBM Connections

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3005.

3.5
2016-09-01 CVE-2016-3008 IBM Cross-Site Scripting vulnerability in IBM Connections 5.0.0.0/5.5.0.0

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2954 and CVE-2016-2956.

3.5
2016-09-01 CVE-2016-3005 IBM Cross-Site Scripting vulnerability in IBM Connections

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3010.

3.5
2016-09-01 CVE-2016-2998 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Connections

Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that update data.

3.5
2016-09-01 CVE-2016-2997 IBM Cross-Site Scripting vulnerability in IBM Connections

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-3005, and CVE-2016-3010.

3.5
2016-09-01 CVE-2016-2995 IBM Cross-Site Scripting vulnerability in IBM Connections

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2997, CVE-2016-3005, and CVE-2016-3010.

3.5
2016-09-01 CVE-2016-2956 IBM Cross-Site Scripting vulnerability in IBM Connections 5.0.0.0/5.5.0.0

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2954 and CVE-2016-3008.

3.5
2016-09-01 CVE-2016-2954 IBM Cross-Site Scripting vulnerability in IBM Connections 5.0.0.0/5.5.0.0

Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2956 and CVE-2016-3008.

3.5
2016-09-01 CVE-2016-0385 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Websphere Application Server

Buffer overflow in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 before 8.5.5.10, 9.0 before 9.0.0.1, and Liberty before 16.0.0.3, when HttpSessionIdReuse is enabled, allows remote authenticated users to obtain sensitive information via unspecified vectors.

3.5
2016-09-01 CVE-2016-0370 IBM Cross-Site Scripting vulnerability in IBM Forms Experience Builder

Cross-site scripting (XSS) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3 allows remote authenticated users to inject arbitrary web script or HTML via crafted input to an application that was built with this product.

3.5
2016-08-31 CVE-2016-7119 Dotnetnuke Cross-Site Scripting vulnerability in Dotnetnuke

Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.

3.5
2016-08-30 CVE-2016-0292 IBM Information Exposure vulnerability in IBM Bigfix

WebReports in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9.x before 9.5.2 allows local users to discover the cleartext system password by reading a report.

2.1
2016-09-02 CVE-2016-5107 Qemu
Canonical
Debian
Out-Of-Bounds Read vulnerability in multiple products

The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors.

1.9
2016-09-02 CVE-2016-5106 Qemu
Canonical
Debian
Out-Of-Bounds Write vulnerability in multiple products

The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command.

1.9
2016-09-02 CVE-2016-5105 Qemu
Canonical
Debian
USE of Uninitialized Resource vulnerability in multiple products

The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command.

1.9
2016-09-02 CVE-2016-4952 Qemu
Canonical
Debian
Out-Of-Bounds Write vulnerability in multiple products

QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command.

1.9