Weekly Vulnerabilities Reports > October 31 to November 6, 2016

Overview

58 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 69 products from 29 vendors including Cisco, Debian, Qemu, Opensuse, and Exponentcms. Vulnerabilities are notably categorized as "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Unrestricted Upload of File with Dangerous Type", "Out-of-bounds Read", and "Cross-site Scripting".

  • 47 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 11 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 52 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-03 CVE-2016-6452 Cisco Improper Authentication vulnerability in Cisco Prime Home 5.0Base/5.1Base/5.2.0

A vulnerability in the web-based graphical user interface (GUI) of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication.

10.0
2016-11-03 CVE-2016-6441 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS XE

A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR 900 Series routers could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system.

10.0
2016-11-03 CVE-2015-8969 Square
Squareup
Command Injection vulnerability in Squareup Git-Fastclone 1.0.0/1.0.1

git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command.

10.0
2016-10-31 CVE-2016-7990 Google
Samsung
7PK - Errors vulnerability in Google Android

On Samsung Galaxy S4 through S7 devices, an integer overflow condition exists within libomacp.so when parsing OMACP messages (within WAP Push SMS messages) leading to a heap corruption that can result in Denial of Service and potentially remote code execution, a subset of SVE-2016-6542.

10.0
2016-11-03 CVE-2015-8968 Square
Squareup
Command Injection vulnerability in Squareup Git-Fastclone 1.0.0

git-fastclone before 1.0.1 permits arbitrary shell command execution from .gitmodules.

9.3
2016-11-01 CVE-2016-7855 Adobe
Apple
Google
Linux
Microsoft
Redhat
USE After Free vulnerability in multiple products

Use-after-free vulnerability in Adobe Flash Player before 23.0.0.205 on Windows and OS X and before 11.2.202.643 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in October 2016.

9.3

12 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-03 CVE-2016-7160 Samsung Null Pointer Dereference vulnerability in Samsung Mobile 6.0

A vulnerability on Samsung Mobile M(6.0) devices exists because external access to SystemUI activities is not properly restricted, leading to a SystemUI crash and device restart, aka SVE-2016-6248.

7.8
2016-10-31 CVE-2016-8203 Brocade Buffer Errors vulnerability in Brocade Netiron OS 6.0.00/6.0.00A

A memory corruption in the IPsec code path of Brocade NetIron OS on Brocade MLXs 5.8.00 through 5.8.00e, 5.9.00 through 5.9.00bd, 6.0.00, and 6.0.00a images could allow attackers to cause a denial of service (line card reset) via certain constructed IPsec control packets.

7.8
2016-10-31 CVE-2016-7991 Google
Samsung
7PK - Errors vulnerability in Google Android

On Samsung Galaxy S4 through S7 devices, the "omacp" app ignores security information embedded in the OMACP messages resulting in remote unsolicited WAP Push SMS messages being accepted, parsed, and handled by the device, leading to unauthorized configuration changes, a subset of SVE-2016-6542.

7.8
2016-10-31 CVE-2016-7989 Google
Samsung
7PK - Security Features vulnerability in Google Android

On Samsung Galaxy S4 through S7 devices, a malformed OTA WAP PUSH SMS containing an OMACP message sent remotely triggers an unhandled ArrayIndexOutOfBoundsException in Samsung's implementation of the WifiServiceImpl class within wifi-service.jar.

7.8
2016-10-31 CVE-2016-7988 Google
Samsung
Permission Issues vulnerability in Google Android

On Samsung Galaxy S4 through S7 devices, absence of permissions on the BroadcastReceiver responsible for handling the com.[Samsung].android.intent.action.SET_WIFI intent leads to unsolicited configuration messages being handled by wifi-service.jar within the Android Framework, a subset of SVE-2016-6542.

7.8
2016-11-04 CVE-2016-8869 Joomla Improper Input Validation vulnerability in Joomla Joomla!

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

7.5
2016-11-04 CVE-2016-9176 Microfocus Buffer Errors vulnerability in Microfocus Rumba 7.4.0/9.4/9.4.0

Stack buffer overflow in the send.exe and receive.exe components of Micro Focus Rumba 9.4 and earlier could be used by local attackers or attackers able to inject arguments to these binaries to execute code.

7.5
2016-11-03 CVE-2016-6448 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Meeting Server

A vulnerability in the Session Description Protocol (SDP) parser of Cisco Meeting Server could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.

7.5
2016-11-03 CVE-2016-6447 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Meeting APP and Meeting Server

A vulnerability in Cisco Meeting Server and Meeting App could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system.

7.5
2016-11-03 CVE-2016-7453 Exponentcms SQL Injection vulnerability in Exponentcms Exponent CMS

The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.

7.5
2016-11-03 CVE-2016-7402 Sybase Permissions, Privileges, and Access Controls vulnerability in Sybase Adaptive Server Enterprise

SAP ASE 16.0 SP02 PL03 and prior versions allow attackers who own SourceDB and TargetDB databases to elevate privileges to sa (system administrator) via dbcc import_sproc SQL injection.

7.5
2016-11-03 CVE-2016-7095 Exponentcms Unrestricted Upload of File With Dangerous Type vulnerability in Exponentcms Exponent CMS

Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution.

7.5

31 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-04 CVE-2016-8870 Joomla Improper Input Validation vulnerability in Joomla Joomla!

The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

6.8
2016-11-04 CVE-2016-9190 Python
Debian
Improper Access Control vulnerability in multiple products

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

6.8
2016-10-31 CVE-2016-8878 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to execute arbitrary code via a crafted BMP image embedded in the XFA stream in a PDF document, aka "Data from Faulting Address may be used as a return value starting at FOXITREADER."

6.8
2016-10-31 CVE-2016-8877 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Phantompdf and Reader

Heap buffer overflow (Out-of-Bounds write) vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows allows remote attackers to execute arbitrary code via a crafted JPEG2000 image embedded in a PDF document, aka a "corrupted suffix pattern" issue.

6.8
2016-10-31 CVE-2016-8876 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to execute arbitrary code via a crafted TIFF image embedded in the XFA stream in a PDF document, aka "Read Access Violation starting at FoxitReader."

6.8
2016-11-03 CVE-2016-6430 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IP Interoperability and Collaboration System

A vulnerability in the command-line interface of the Cisco IP Interoperability and Collaboration System (IPICS) could allow an authenticated, local attacker to elevate the privilege level associated with their session.

6.6
2016-11-04 CVE-2016-9187 Moodle Unrestricted Upload of File With Dangerous Type vulnerability in Moodle

Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

6.5
2016-11-04 CVE-2016-9186 Moodle Unrestricted Upload of File With Dangerous Type vulnerability in Moodle

Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors.

6.5
2016-11-04 CVE-2016-9184 Exponentcms Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0

In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection.

5.0
2016-11-04 CVE-2016-9183 Exponentcms Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0

In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql.

5.0
2016-11-04 CVE-2016-9182 Exponentcms Improper Access Control vulnerability in Exponentcms Exponent CMS 2.4.0

Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission.

5.0
2016-11-04 CVE-2016-9177 Sparkjava Path Traversal vulnerability in Sparkjava Spark

Directory traversal vulnerability in Spark 2.5 allows remote attackers to read arbitrary files via a ..

5.0
2016-11-03 CVE-2016-6455 Cisco Resource Management Errors vulnerability in Cisco ASR 5000 Software

A vulnerability in the Slowpath of StarOS for Cisco ASR 5500 Series routers with Data Processing Card 2 (DPC2) could allow an unauthenticated, remote attacker to cause a subset of the subscriber sessions to be disconnected, resulting in a partial denial of service (DoS) condition.

5.0
2016-11-03 CVE-2016-9136 Artifex Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Artifex Mujs

Artifex Software, Inc.

5.0
2016-11-03 CVE-2016-9135 Exponentcms Information Exposure vulnerability in Exponentcms Exponent CMS 2.3.9

Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter.

5.0
2016-11-03 CVE-2016-9134 Exponentcms Information Exposure vulnerability in Exponentcms Exponent CMS 2.3.9

Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter.

5.0
2016-11-03 CVE-2016-7452 Exponentcms Unrestricted Upload of File With Dangerous Type vulnerability in Exponentcms Exponent CMS

The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal.

5.0
2016-11-02 CVE-2016-8864 ISC
Netapp
Redhat
Debian
Reachable Assertion vulnerability in multiple products

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c.

5.0
2016-11-03 CVE-2016-6453 Cisco SQL Injection vulnerability in Cisco Identity Services Engine 1.3(0.876)

A vulnerability in the web framework code of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary SQL commands on the database.

4.9
2016-10-31 CVE-2016-8856 Foxitsoftware Permission Issues vulnerability in Foxitsoftware Reader

Foxit Reader for Mac 2.1.0.0804 and earlier and Foxit Reader for Linux 2.1.0.0805 and earlier suffered from a vulnerability where weak file permissions could be exploited by attackers to execute arbitrary code.

4.6
2016-11-04 CVE-2016-9189 Python
Debian
Integer Overflow OR Wraparound vulnerability in multiple products

Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.

4.3
2016-11-04 CVE-2016-9188 Moodle Cross-Site Scripting vulnerability in Moodle

Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters.

4.3
2016-11-03 CVE-2016-6454 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Hosted Collaboration Mediation Fulfillment

A cross-site request forgery (CSRF) vulnerability in the web interface of the Cisco Hosted Collaboration Mediation Fulfillment application could allow an unauthenticated, remote attacker to execute unwanted actions.

4.3
2016-11-03 CVE-2016-6451 Cisco Cross-Site Scripting vulnerability in Cisco Prime Collaboration Provisioning 10.6.0

Multiple vulnerabilities in the web framework code of the Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system.

4.3
2016-11-03 CVE-2016-6429 Cisco Cross-Site Scripting vulnerability in Cisco IP Interoperability and Collaboration System 4.10(1)

A vulnerability in the web framework code of the Cisco IP Interoperability and Collaboration System (IPICS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack.

4.3
2016-10-31 CVE-2016-8879 Foxitsoftware Out-Of-Bounds Write vulnerability in Foxitsoftware Phantompdf and Reader

The thumbnail shell extension plugin (FoxitThumbnailHndlr_x86.dll) in Foxit Reader and PhantomPDF before 8.1 on Windows allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted JPEG2000 image embedded in a PDF document, aka an "Exploitable - Heap Corruption" issue.

4.3
2016-10-31 CVE-2016-8875 Foxitsoftware Out-Of-Bounds Read vulnerability in Foxitsoftware Phantompdf and Reader

The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF image, aka "Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at ConvertToPDF_x86!CreateFXPDFConvertor."

4.3
2016-10-31 CVE-2016-7965 Dokuwiki Improper Input Validation vulnerability in Dokuwiki

DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL.

4.3
2016-10-31 CVE-2016-7964 Dokuwiki Server-Side Request Forgery (SSRF) vulnerability in Dokuwiki 20160626A

The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php in DokuWiki 2016-06-26a and older, when media file fetching is enabled, has no way to restrict access to private networks.

4.3
2016-11-04 CVE-2016-9185 Openstack Information Exposure vulnerability in Openstack Heat

In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration.

4.0
2016-11-03 CVE-2016-9086 Gitlab Information Exposure vulnerability in Gitlab

GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab.

4.0

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-11-04 CVE-2016-8910 Qemu
Debian
Opensuse
Redhat
Infinite Loop vulnerability in multiple products

The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.

2.1
2016-11-04 CVE-2016-8909 Qemu
Debian
Opensuse
Redhat
Infinite Loop vulnerability in multiple products

The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.

2.1
2016-11-04 CVE-2016-8669 Qemu
Opensuse
Redhat
Debian
Divide BY Zero vulnerability in multiple products

The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.

2.1
2016-11-04 CVE-2016-8668 Qemu
Opensuse
Classic Buffer Overflow vulnerability in multiple products

The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size.

2.1
2016-11-04 CVE-2016-8667 Qemu
Opensuse
Debian
Divide BY Zero vulnerability in multiple products

The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value.

2.1
2016-11-04 CVE-2016-8578 Qemu
Opensuse
Debian
The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation.
2.1
2016-11-04 CVE-2016-8577 Qemu
Debian
Opensuse
Missing Release of Resource After Effective Lifetime vulnerability in multiple products

Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation.

2.1
2016-11-04 CVE-2016-8576 Qemu
Opensuse
Redhat
Debian
Allocation of Resources Without Limits OR Throttling vulnerability in multiple products

The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.

2.1
2016-11-03 CVE-2016-4025 Avast 7PK - Security Features vulnerability in Avast products

Avast Internet Security v11.x.x, Pro Antivirus v11.x.x, Premier v11.x.x, Free Antivirus v11.x.x, Business Security v11.x.x, Endpoint Protection v8.x.x, Endpoint Protection Plus v8.x.x, Endpoint Protection Suite v8.x.x, Endpoint Protection Suite Plus v8.x.x, File Server Security v8.x.x, and Email Server Security v8.x.x allow attackers to bypass the DeepScreen feature via a DeviceIoControl call.

2.1