Weekly Vulnerabilities Reports > January 9 to 15, 2017

Overview

293 new vulnerabilities reported during this period, including 90 critical vulnerabilities and 72 high severity vulnerabilities. This weekly summary report vulnerabilities in 178 products from 61 vendors including Linux, Google, Microsoft, Adobe, and Apple. Vulnerabilities are notably categorized as "Information Exposure", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Access Control", and "Improper Input Validation".

  • 277 reported vulnerabilities are remotely exploitables.
  • 20 reported vulnerabilities have public exploit available.
  • 60 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 284 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 98 reported vulnerabilities.
  • Linux has the most reported critical vulnerabilities, with 43 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

90 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-01-14 CVE-2016-8205 Brocade Path Traversal vulnerability in Brocade Network Advisor 11.0.0.0/11.0.2.0

A Directory Traversal vulnerability in DashboardFileReceiveServlet in the Brocade Network Advisor versions released prior to and including 14.0.2 could allow remote attackers to upload a malicious file in a section of the file system where it can be executed.

10.0
2017-01-14 CVE-2016-8204 Broadcom Path Traversal vulnerability in Broadcom Brocade Network Advisor

A Directory Traversal vulnerability in FileReceiveServlet in the Brocade Network Advisor versions released prior to and including 14.0.2 could allow remote attackers to upload a malicious file in a section of the file system where it can be executed.

10.0
2017-01-13 CVE-2015-3188 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Storm 0.10.0

The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.

10.0
2017-01-12 CVE-2016-3149 Barco Remote Code Execution vulnerability in Barco products

Barco ClickShare CSC-1 devices with firmware before 01.09.03 and CSM-1 devices with firmware before 01.06.02 allow remote attackers to execute arbitrary code via unspecified vectors.

10.0
2017-01-12 CVE-2016-8459 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel 3.18

Possible buffer overflow in storage subsystem.

10.0
2017-01-12 CVE-2016-8440 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel 3.18

Possible buffer overflow in SMMU system call.

10.0
2017-01-12 CVE-2016-8439 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel 3.18

Possible buffer overflow in trust zone access control API.

10.0
2017-01-12 CVE-2016-8438 Linux Integer Overflow or Wraparound vulnerability in Linux Kernel 3.18

Integer overflow leading to a TOCTOU condition in hypervisor PIL.

10.0
2017-01-12 CVE-2016-8437 Linux Improper Input Validation vulnerability in Linux Kernel 3.18

Improper input validation in Access Control APIs.

10.0
2017-01-12 CVE-2016-8398 Linux 7PK - Security Features vulnerability in Linux Kernel 3.18

Unauthenticated messages processed by the UE.

10.0
2017-01-11 CVE-2017-2937 Adobe
Apple
Google
Linux
Microsoft
Use After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript FileReference class, when using class inheritance.

10.0
2017-01-11 CVE-2017-2936 Adobe
Apple
Google
Linux
Microsoft
Use After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript FileReference class.

10.0
2017-01-11 CVE-2017-2935 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing the Flash Video container file format.

10.0
2017-01-11 CVE-2017-2934 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when parsing Adobe Texture Format files.

10.0
2017-01-11 CVE-2017-2933 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability related to texture compression.

10.0
2017-01-11 CVE-2017-2932 Adobe
Apple
Google
Linux
Microsoft
Use After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript MovieClip class.

10.0
2017-01-11 CVE-2017-2931 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to the parsing of SWF metadata.

10.0
2017-01-11 CVE-2017-2930 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability due to a concurrency error when manipulating a display list.

10.0
2017-01-11 CVE-2017-2928 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to setting visual mode effects.

10.0
2017-01-11 CVE-2017-2927 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing Adobe Texture Format files.

10.0
2017-01-11 CVE-2017-2926 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to processing of atoms in MP4 files.

10.0
2017-01-11 CVE-2017-2925 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability in the JPEG XR codec.

10.0
2017-01-10 CVE-2016-10126 Splunk Permissions, Privileges, and Access Controls vulnerability in Splunk

Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6.2.12, 6.3.x before 6.3.8, and 6.4.x before 6.4.4 allows remote attackers to conduct HTTP request injection attacks and obtain sensitive REST API authentication-token information via unspecified vectors, aka SPL-128840.

10.0
2017-01-12 CVE-2016-6492 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driver for Linux allows local users to gain privileges via a crafted application that makes an MT6573FDVTIOC_T_SET_FDCONF_CMD IOCTL call.

9.3
2017-01-12 CVE-2017-0387 Google Privilege Escalation vulnerability in Google Android

An elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2017-0386 Google Privilege Escalation vulnerability in Google Android

An elevation of privilege vulnerability in the libnl library could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2017-0385 Google Privilege Escalation vulnerability in Google Android Audioserver

An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2017-0384 Google Privilege Escalation vulnerability in Google Android Audioserver

An elevation of privilege vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2017-0383 Google Integer Overflow or Wraparound vulnerability in Google Android 7.0/7.1.0

An elevation of privilege vulnerability in the Framework APIs could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2017-0381 Google Integer Overflow or Wraparound vulnerability in Google Android

An information disclosure vulnerability in silk/NLSF_stabilize.c in libopus in Mediaserver could enable a local malicious application to access data outside of its permission levels.

9.3
2017-01-12 CVE-2016-8455 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8436 Linux
Google
Permissions, Privileges, and Access Controls vulnerability in multiple products

An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8435 Linux Improper Access Control vulnerability in Linux Kernel 3.18

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8434 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Qualcomm GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8433 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8432 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.18

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8431 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.18

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8430 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8429 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8428 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8427 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8426 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8425 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8424 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8423 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-8422 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6790 Linux Improper Access Control vulnerability in Linux Kernel 3.18

An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2016-6789 Linux Improper Access Control vulnerability in Linux Kernel 3.18

An elevation of privilege vulnerability in the NVIDIA libomx library (libnvomx) could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2016-6785 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6784 Google Improper Access Control vulnerability in Google Android 6.0.1

An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6783 Google Improper Access Control vulnerability in Google Android

An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6782 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6781 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the MediaTek driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6777 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6776 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6775 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

9.3
2017-01-12 CVE-2016-6772 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in Wi-Fi could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2016-6761 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2016-6760 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2016-6759 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-12 CVE-2016-6758 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in Qualcomm media codecs could enable a local malicious application to execute arbitrary code within the context of a privileged process.

9.3
2017-01-11 CVE-2017-2967 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the XFA engine related to a form's structure and organization.

9.3
2017-01-11 CVE-2017-2966 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable heap overflow vulnerability in the image conversion engine related to parsing malformed TIFF segments.

9.3
2017-01-11 CVE-2017-2965 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the image conversion engine, related to TIFF file parsing.

9.3
2017-01-11 CVE-2017-2964 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the image conversion engine, related to the parsing of JPEG EXIF metadata.

9.3
2017-01-11 CVE-2017-2963 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the image conversion engine, related to handling of the color profile in a TIFF file.

9.3
2017-01-11 CVE-2017-2962 Adobe
Apple
Microsoft
Incorrect Type Conversion or Cast vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable type confusion vulnerability in the XSLT engine related to localization functionality.

9.3
2017-01-11 CVE-2017-2961 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the XFA engine, related to validation functionality.

9.3
2017-01-11 CVE-2017-2960 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the image conversion engine, related to parsing of EXIF metadata.

9.3
2017-01-11 CVE-2017-2959 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable heap overflow vulnerability in the image conversion engine, related to parsing of color profile metadata.

9.3
2017-01-11 CVE-2017-2958 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the JavaScript engine.

9.3
2017-01-11 CVE-2017-2957 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the JavaScript engine, related to collaboration functionality.

9.3
2017-01-11 CVE-2017-2956 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the JavaScript engine, related to manipulation of the navigation pane.

9.3
2017-01-11 CVE-2017-2955 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the JavaScript engine.

9.3
2017-01-11 CVE-2017-2954 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the image conversion module when handling malformed TIFF images.

9.3
2017-01-11 CVE-2017-2953 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the image conversion module when processing a TIFF image.

9.3
2017-01-11 CVE-2017-2952 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable buffer overflow / underflow vulnerability in the image conversion module related to parsing tags in TIFF files.

9.3
2017-01-11 CVE-2017-2951 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the XFA engine, related to sub-form functionality.

9.3
2017-01-11 CVE-2017-2950 Adobe
Apple
Microsoft
Use After Free vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable use after free vulnerability in the XFA engine, related to layout functionality.

9.3
2017-01-11 CVE-2017-2949 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable heap overflow vulnerability in the XSLT engine.

9.3
2017-01-11 CVE-2017-2948 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable buffer overflow / underflow vulnerability in the XFA engine.

9.3
2017-01-11 CVE-2017-2946 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable heap overflow vulnerability when parsing the segment for storing non-graphic information.

9.3
2017-01-11 CVE-2017-2945 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable heap overflow vulnerability when parsing TIFF image files.

9.3
2017-01-11 CVE-2017-2944 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability when parsing crafted TIFF image files.

9.3
2017-01-11 CVE-2017-2943 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability when processing tags in TIFF images.

9.3
2017-01-11 CVE-2017-2942 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable heap overflow vulnerability when processing TIFF image data.

9.3
2017-01-11 CVE-2017-2941 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability when processing Compact Font Format data.

9.3
2017-01-11 CVE-2017-2940 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability when processing JPEG 2000 files.

9.3
2017-01-11 CVE-2017-2939 Adobe
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability when processing a malformed cross-reference table.

9.3
2017-01-10 CVE-2017-0003 Microsoft Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Sharepoint Enterprise Server and Word

Microsoft Word 2016 and SharePoint Enterprise Server 2016 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

9.3

72 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-01-12 CVE-2017-0394 Google Denial of Service vulnerability in Google Android Telephony

A denial of service vulnerability in Telephony could enable a remote attacker to cause a device hang or reboot.

7.8
2017-01-12 CVE-2017-0389 Google Improper Input Validation vulnerability in Google Android

A denial of service vulnerability in core networking could enable a remote attacker to use specially crafted network packet to cause a device hang or reboot.

7.8
2017-01-12 CVE-2017-5351 Samsung Resource Exhaustion vulnerability in Samsung Mobile

Samsung Note devices with KK(4.4), L(5.0/5.1), and M(6.0) software allow attackers to crash the system by creating an arbitrarily large number of active VR service threads.

7.8
2017-01-10 CVE-2017-0004 Microsoft Improper Input Validation vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista

The Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows remote attackers to cause a denial of service (reboot) via a crafted authentication request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."

7.8
2017-01-10 CVE-2016-6581 Python Resource Management Errors vulnerability in Python Hpack and Hyper

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack.

7.8
2017-01-12 CVE-2017-0404 Linux Privilege Escalation vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2017-0403 Linux Privilege Escalation vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8468 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.18

An elevation of privilege vulnerability in Binder could enable a local malicious application to execute arbitrary code within the context of a privileged process.

7.6
2017-01-12 CVE-2016-8466 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8465 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8464 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8458 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8457 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8456 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8454 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8453 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8452 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8451 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.4

An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8450 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8449 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the NVIDIA GPU driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8448 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in MediaTek components, including the thermal driver and video driver, could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8447 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in MediaTek components, including the thermal driver and video driver, could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8446 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in MediaTek components, including the thermal driver and video driver, could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8445 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in MediaTek components, including the thermal driver and video driver, could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8444 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8415 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8412 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm camera could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8399 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8394 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8393 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8392 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-8391 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-6791 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-6788 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in the MediaTek I2C driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-6780 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-6779 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-6778 Linux Improper Access Control vulnerability in Linux Kernel 3.10

An elevation of privilege vulnerability in the HTC sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-12 CVE-2016-6755 Linux Improper Access Control vulnerability in Linux Kernel 3.10/3.18

An elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

7.6
2017-01-13 CVE-2016-2090 Fedoraproject
Freedesktop
Debian
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow.

7.5
2017-01-13 CVE-2016-10141 Artifex Integer Overflow or Wraparound vulnerability in Artifex Mujs

An integer overflow vulnerability was observed in the regemit function in regexp.c in Artifex Software, Inc.

7.5
2017-01-12 CVE-2016-9299 Jenkins
Fedoraproject
LDAP Injection vulnerability in Jenkins

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.

7.5
2017-01-12 CVE-2016-8606 GNU
Fedoraproject
Improper Access Control vulnerability in multiple products

The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack.

7.5
2017-01-12 CVE-2016-7791 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS 2.3.9

Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php.

7.5
2017-01-12 CVE-2016-7790 Exponentcms Improper Input Validation vulnerability in Exponentcms Exponent CMS 2.3.9

Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php.

7.5
2017-01-12 CVE-2017-5225 Libtiff Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libtiff 4.0.7

LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.

7.5
2017-01-12 CVE-2016-10131 Codeigniter Injection vulnerability in Codeigniter

system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments.

7.5
2017-01-12 CVE-2016-7479 PHP Use After Free vulnerability in PHP

In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free.

7.5
2017-01-11 CVE-2016-7480 PHP Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PHP

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

7.5
2017-01-11 CVE-2017-5340 PHP Integer Overflow or Wraparound vulnerability in PHP

Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.

7.5
2017-01-11 CVE-2017-2938 Adobe
Apple
Google
Linux
Microsoft
Security Bypass vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.186 and earlier have a security bypass vulnerability related to handling TCP connections.

7.5
2017-01-10 CVE-2016-6830 Call CC Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Call-Cc Chicken

The "process-execute" and "process-spawn" procedures in CHICKEN Scheme used fixed-size buffers for holding the arguments and environment variables to use in its execve() call.

7.5
2017-01-10 CVE-2015-4594 Eclinicalworks Session Fixation vulnerability in Eclinicalworks Population Health

eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability.

7.5
2017-01-13 CVE-2016-10139 Adups Cryptographic Issues vulnerability in Adups Fota

An issue was discovered on BLU R1 HD devices with Shanghai Adups software.

7.2
2017-01-13 CVE-2016-10138 Adups Cryptographic Issues vulnerability in Adups Fota

An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software.

7.2
2017-01-13 CVE-2016-10137 Adups Cryptographic Issues vulnerability in Adups Fota

An issue was discovered on BLU R1 HD devices with Shanghai Adups software.

7.2
2017-01-13 CVE-2016-10136 Adups Cryptographic Issues vulnerability in Adups Fota

An issue was discovered on BLU R1 HD devices with Shanghai Adups software.

7.2
2017-01-12 CVE-2016-8443 Linux Improper Authorization vulnerability in Linux Kernel 3.18

Possible unauthorized memory access in the hypervisor.

7.2
2017-01-12 CVE-2016-8442 Linux Improper Input Validation vulnerability in Linux Kernel 3.18

Possible unauthorized memory access in the hypervisor.

7.2
2017-01-12 CVE-2016-8441 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel 3.18

Possible buffer overflow in the hypervisor.

7.2
2017-01-13 CVE-2016-9311 NTP NULL Pointer Dereference vulnerability in NTP 4.2.4/4.2.7/4.2.8

ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted packet.

7.1
2017-01-12 CVE-2017-0393 Google Denial of Service vulnerability in Google Android Mediaserver

A denial of service vulnerability in libvpx in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2017-0392 Google Denial of Service vulnerability in Google Android Mediaserver

A denial of service vulnerability in VBRISeeker.cpp in libstagefright in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2017-0391 Google Denial of Service vulnerability in Google Android Mediaserver

A denial of service vulnerability in decoder/ihevcd_decode.c in libhevc in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2017-0390 Google Denial of Service vulnerability in Google Android Mediaserver

A denial of service vulnerability in Tremolo/dpen.s in Mediaserver could enable a remote attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2016-8463 Linux Resource Management Errors vulnerability in Linux Kernel 3.10/3.18

A denial of service vulnerability in the Qualcomm FUSE file system could enable a remote attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2016-8395 Linux Local Denial of Service vulnerability in Linux Kernel 3.10

A denial of service vulnerability in the NVIDIA camera driver could enable an attacker to cause a local permanent denial of service, which may require reflashing the operating system to repair the device.

7.1
2017-01-12 CVE-2016-6767 Google Resource Management Errors vulnerability in Google Android

A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2016-6766 Google Data Processing Errors vulnerability in Google Android

A denial of service vulnerability in libmedia and libstagefright in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2016-6765 Google Data Processing Errors vulnerability in Google Android

A denial of service vulnerability in libstagefright in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2016-6764 Google Resource Management Errors vulnerability in Google Android

A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-12 CVE-2016-6763 Google Improper Access Control vulnerability in Google Android

A denial of service vulnerability in Telephony could enable a local malicious application to use a specially crafted file to cause a device hang or reboot.

7.1
2017-01-09 CVE-2017-5217 Samsung Improper Input Validation vulnerability in Samsung Mobile

Installing a zero-permission Android application on certain Samsung Android devices with KK(4.4), L(5.0/5.1), and M(6.0) software can continually crash the system_server process in the Android OS.

7.1

107 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-01-15 CVE-2017-5492 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

6.8
2017-01-15 CVE-2017-5489 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

6.8
2017-01-14 CVE-2017-5476 S9Y Cross-Site Request Forgery (CSRF) vulnerability in S9Y Serendipity

Serendipity through 2.0.5 allows CSRF for the installation of an event plugin or a sidebar plugin.

6.8
2017-01-14 CVE-2017-5475 S9Y Cross-Site Request Forgery (CSRF) vulnerability in S9Y Serendipity

comment.php in Serendipity through 2.0.5 allows CSRF in deleting any comments.

6.8
2017-01-14 CVE-2017-5473 Ntop Cross-Site Request Forgery (CSRF) vulnerability in Ntop Ntopng

Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.

6.8
2017-01-13 CVE-2016-9809 Gstreamer Out-of-bounds Read vulnerability in Gstreamer

Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read.

6.8
2017-01-13 CVE-2017-5364 Foxitsoftware Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Foxit PDF Toolkit 1.3

Memory Corruption Vulnerability in Foxit PDF Toolkit v1.3 allows an attacker to cause Denial of Service and Remote Code Execution when the victim opens the specially crafted PDF file.

6.8
2017-01-12 CVE-2017-0382 Google Remote Code Execution vulnerability in Google Android Framesequence Library

A remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process.

6.8
2017-01-12 CVE-2016-6771 Google Improper Access Control vulnerability in Google Android 6.0/6.0.1/7.0

An elevation of privilege vulnerability in Telephony could enable a local malicious application to access system functions beyond its access level.

6.8
2017-01-12 CVE-2016-6768 Google Improper Access Control vulnerability in Google Android

A remote code execution vulnerability in the Framesequence library could enable an attacker using a specially crafted file to execute arbitrary code in the context of an unprivileged process.

6.8
2017-01-12 CVE-2016-6762 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in the libziparchive library could enable a local malicious application to execute arbitrary code within the context of a privileged process.

6.8
2017-01-11 CVE-2016-4808 Web2Py Cross-Site Request Forgery (CSRF) vulnerability in Web2Py

Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.

6.8
2017-01-10 CVE-2017-0002 Microsoft Remote Privilege Escalation vulnerability in Microsoft Edge

Microsoft Edge allows remote attackers to bypass the Same Origin Policy via vectors involving the about:blank URL and data: URLs, aka "Microsoft Edge Elevation of Privilege Vulnerability."

6.8
2017-01-10 CVE-2015-4593 Eclinicalworks Cross-Site Request Forgery (CSRF) vulnerability in Eclinicalworks Population Health

eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and deletion of users, appointments and employees.

6.8
2017-01-09 CVE-2016-10125 D Link Use of Hard-coded Credentials vulnerability in D-Link Dgs-1100 Firmware 1.01.018

D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded SSL private key, which allows man-in-the-middle attackers to spoof devices by hijacking an HTTPS session.

6.8
2017-01-13 CVE-2010-5327 Liferay Permissions, Privileges, and Access Controls vulnerability in Liferay Portal

Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.

6.5
2017-01-12 CVE-2017-5347 Metalgenix SQL Injection vulnerability in Metalgenix Genixcms 0.0.8

SQL injection vulnerability in inc/mod/newsletter/options.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the recipient parameter to gxadmin/index.php.

6.5
2017-01-12 CVE-2017-5346 Genixcms SQL Injection vulnerability in Genixcms 0.0.8

SQL injection vulnerability in inc/lib/Control/Backend/posts.control.php in GeniXCMS 0.0.8 allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter to gxadmin/index.php.

6.5
2017-01-12 CVE-2017-5345 Metalgenix SQL Injection vulnerability in Metalgenix Genixcms 0.0.8

SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control.php in GeniXCMS 0.0.8 allows remote authenticated editors to execute arbitrary SQL commands via the term parameter to the default URI.

6.5
2017-01-10 CVE-2015-4592 Eclinicalworks SQL Injection vulnerability in Eclinicalworks Population Health

eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input.

6.5
2017-01-14 CVE-2016-8206 Brocade Path Traversal vulnerability in Brocade Network Advisor 11.0.0.0/11.0.2.0

A Directory Traversal vulnerability in servlet SoftwareImageUpload in the Brocade Network Advisor versions released prior to and including 14.0.2 could allow remote attackers to write to arbitrary files, and consequently delete the files.

6.4
2017-01-13 CVE-2016-9310 NTP Resource Exhaustion vulnerability in NTP 4.2.4/4.2.7/4.2.8

The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet.

6.4
2017-01-13 CVE-2016-3128 Blackberry 7PK - Security Features vulnerability in Blackberry Enterprise Service

A spoofing vulnerability in the Core of BlackBerry Enterprise Server (BES) 12 through 12.5.2 allows remote attackers to enroll an illegitimate device to the BES, gain access to device parameters for the BES, or send false information to the BES by gaining access to specific information about a device that was legitimately enrolled on the BES.

6.4
2017-01-11 CVE-2017-5209 Libimobiledevice Out-of-bounds Read vulnerability in Libimobiledevice Libplist

The base64decode function in base64.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data.

6.4
2017-01-14 CVE-2016-8201 Brocade Cross-Site Request Forgery (CSRF) vulnerability in Brocade Virtual Traffic Manager

A CSRF vulnerability in Brocade Virtual Traffic Manager versions released prior to and including 11.0 could allow an attacker to trick a logged-in user into making administrative changes on the traffic manager cluster.

6.0
2017-01-14 CVE-2017-5474 S9Y Open Redirect vulnerability in S9Y Serendipity

Open redirect vulnerability in comment.php in Serendipity through 2.0.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.

5.8
2017-01-12 CVE-2016-5715 Puppet Open Redirect vulnerability in Puppet

Open redirect vulnerability in the Console in Puppet Enterprise 2015.x and 2016.x before 2016.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the redirect parameter.

5.8
2017-01-12 CVE-2015-6501 Puppet Open Redirect vulnerability in Puppet

Open redirect vulnerability in the Console in Puppet Enterprise before 2015.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the string parameter.

5.8
2017-01-15 CVE-2017-5480 B2Evolution Path Traversal vulnerability in B2Evolution

Directory traversal vulnerability in inc/files/files.ctrl.php in b2evolution through 6.8.3 allows remote authenticated users to read or delete arbitrary files by leveraging back-office access to provide a ..

5.5
2017-01-15 CVE-2017-5493 Wordpress Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Wordpress

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

5.0
2017-01-15 CVE-2017-5491 Wordpress Insecure Default Initialization of Resource vulnerability in Wordpress

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

5.0
2017-01-15 CVE-2017-5487 Wordpress Information Exposure vulnerability in Wordpress

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

5.0
2017-01-14 CVE-2016-8207 Brocade Path Traversal vulnerability in Brocade Network Advisor 11.0.0.0/11.0.2.0

A Directory Traversal vulnerability in CliMonitorReportServlet in the Brocade Network Advisor versions released prior to and including 14.0.2 could allow remote attackers to read arbitrary files including files with sensitive user information.

5.0
2017-01-14 CVE-2016-10142 Ietf Code vulnerability in Ietf Ipv6

An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages.

5.0
2017-01-13 CVE-2016-9812 Gstreamer Out-of-bounds Read vulnerability in Gstreamer

The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section.

5.0
2017-01-13 CVE-2016-9808 Gstreamer Out-of-bounds Write vulnerability in Gstreamer

The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted series of skip and count pairs.

5.0
2017-01-13 CVE-2016-9312 NTP
Microsoft
Resource Management Errors vulnerability in NTP 4.2.4/4.2.7/4.2.8

ntpd in NTP before 4.2.8p9, when running on Windows, allows remote attackers to cause a denial of service via a large UDP packet.

5.0
2017-01-13 CVE-2016-9107 OTR Information Exposure vulnerability in OTR Gajim-Otr

The OTR plugin for Gajim sends information in cleartext when using XHTML, which allows remote attackers to obtain sensitive information via unspecified vectors.

5.0
2017-01-13 CVE-2016-7433 NTP Incorrect Calculation vulnerability in NTP 4.2.4/4.2.7/4.2.8

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

5.0
2017-01-13 CVE-2016-7431 NTP Improper Input Validation vulnerability in NTP 4.2.8

NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero.

5.0
2017-01-13 CVE-2016-6886 Matrixssl Key Management Errors vulnerability in Matrixssl 3.8.2/3.8.3

The pstm_reverse function in MatrixSSL before 3.8.4 allows remote attackers to cause a denial of service (invalid memory read and crash) via a (1) zero value or (2) the key's modulus for the secret key during RSA key exchange.

5.0
2017-01-13 CVE-2016-6885 Matrixssl Use After Free vulnerability in Matrixssl 3.8.2/3.8.3

The pstm_exptmod function in MatrixSSL before 3.8.4 allows remote attackers to cause a denial of service (invalid free and crash) via a base zero value for the modular exponentiation.

5.0
2017-01-13 CVE-2016-9882 Cloudfoundry Information Exposure Through Log Files vulnerability in Cloudfoundry Capi-Release and Cf-Release

An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v250 and CAPI-release versions prior to v1.12.0.

5.0
2017-01-13 CVE-2016-10140 Zoneminder Information Exposure vulnerability in Zoneminder 1.30.0

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.

5.0
2017-01-12 CVE-2016-3152 Barco Information Exposure vulnerability in Barco Clickshare Csc-1 Firmware

Barco ClickShare CSC-1 devices with firmware before 01.09.03 allow remote attackers to obtain the root password by downloading and extracting the firmware image.

5.0
2017-01-12 CVE-2016-3151 Barco Path Traversal vulnerability in Barco products

Directory traversal vulnerability in the wallpaper parsing functionality in Barco ClickShare CSC-1 devices with firmware before 01.09.03, CSM-1 devices with firmware before 01.06.02, and CSE-200 devices with firmware before 01.03.02 allows remote attackers to read /etc/shadow via unspecified vectors.

5.0
2017-01-12 CVE-2016-8605 Fedoraproject
GNU
Permission Issues vulnerability in multiple products

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero.

5.0
2017-01-12 CVE-2017-5350 Samsung Denial of Service vulnerability in Multiple Samsung Android Mobile Devices

Samsung Note devices with L(5.0/5.1), M(6.0), and N(7.0) software allow attackers to crash systemUI by leveraging incomplete exception handling.

5.0
2017-01-12 CVE-2016-9444 ISC Improper Input Validation vulnerability in ISC Bind

named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer.

5.0
2017-01-12 CVE-2016-9147 ISC Improper Input Validation vulnerability in ISC Bind 9.10.4/9.11.0/9.9.9

named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a response containing an inconsistency among the DNSSEC-related RRsets.

5.0
2017-01-12 CVE-2016-9131 ISC
Debian
Redhat
Netapp
Improper Input Validation vulnerability in multiple products

named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed response to an RTYPE ANY query.

5.0
2017-01-11 CVE-2016-6820 Netapp Information Exposure vulnerability in Netapp Metrocluster Tiebreaker

MetroCluster Tiebreaker for clustered Data ONTAP in versions before 1.2 discloses sensitive information in cleartext which may be viewed by an unauthenticated user.

5.0
2017-01-11 CVE-2016-4806 Web2Py Information Exposure vulnerability in Web2Py

Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.

5.0
2017-01-11 CVE-2016-7478 PHP Remote Denial Of Service vulnerability in PHP

Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.

5.0
2017-01-10 CVE-2016-6831 Call CC Resource Exhaustion vulnerability in Call-Cc Chicken

The "process-execute" and "process-spawn" procedures did not free memory correctly when the execve() call failed, resulting in a memory leak.

5.0
2017-01-10 CVE-2016-6580 Python Resource Management Errors vulnerability in Python Priority Library 1.0.0/1.1.0/1.1.1

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID.

5.0
2017-01-10 CVE-2016-6287 Call CC Data Processing Errors vulnerability in Call-Cc Http-Client 0.4.2/0.9

The "http-client" egg always used a HTTP_PROXY environment variable to determine whether HTTP traffic should be routed via a proxy, even when running as a CGI process.

5.0
2017-01-10 CVE-2016-6286 Call CC Data Processing Errors vulnerability in Call-Cc Http-Client 0.4.2

The "spiffy-cgi-handlers" egg would convert a nonexistent "Proxy" header to the HTTP_PROXY environment variable, which would allow attackers to direct CGI programs which use this environment variable to use an attacker-specified HTTP proxy server (also known as a "httpoxy" attack).

5.0
2017-01-09 CVE-2016-10124 Linuxcontainers Improper Access Control vulnerability in Linuxcontainers LXC 2.0.0

An issue was discovered in Linux Containers (LXC) before 2016-02-22.

5.0
2017-01-13 CVE-2016-8467 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

An elevation of privilege vulnerability in the bootloader could enable a local attacker to execute arbitrary modem commands on the device.

4.9
2017-01-15 CVE-2017-5490 Wordpress Cross-site Scripting vulnerability in Wordpress

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

4.3
2017-01-15 CVE-2017-5488 Wordpress Cross-site Scripting vulnerability in Wordpress

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.

4.3
2017-01-13 CVE-2017-0398 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in Audioserver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-13 CVE-2016-9813 Gstreamer NULL Pointer Dereference vulnerability in Gstreamer

The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.

4.3
2017-01-13 CVE-2016-9811 Gstreamer Out-of-bounds Read vulnerability in Gstreamer

The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file.

4.3
2017-01-13 CVE-2016-9810 Gstreamer Out-of-bounds Read vulnerability in Gstreamer

The gst_decode_chain_free_internal function in the flxdex decoder in gst-plugins-good in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via an invalid file, which triggers an incorrect unref call.

4.3
2017-01-13 CVE-2016-9807 Gstreamer Out-of-bounds Read vulnerability in Gstreamer

The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted FLIC file.

4.3
2017-01-13 CVE-2016-8883 Jasper Project Resource Management Errors vulnerability in Jasper Project Jasper

The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.

4.3
2017-01-13 CVE-2016-8882 Jasper Project NULL Pointer Dereference vulnerability in Jasper Project Jasper

The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.

4.3
2017-01-13 CVE-2016-8671 Matrixssl Information Exposure vulnerability in Matrixssl

The pstm_exptmod function in MatrixSSL 3.8.6 and earlier does not properly perform modular exponentiation, which might allow remote attackers to predict the secret key via unspecified vectors.

4.3
2017-01-13 CVE-2016-7434 NTP
HPE
Improper Input Validation vulnerability in NTP 4.2.8/4.2.7

The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.

4.3
2017-01-13 CVE-2016-7429 NTP Source Code vulnerability in NTP 4.2.4/4.2.7/4.2.8

NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source, which allows remote attackers to cause a denial of service (prevent communication with a source) by sending a response for a source to an interface the source does not use.

4.3
2017-01-13 CVE-2016-7426 NTP
Canonical
Redhat
HPE
Resource Exhaustion vulnerability in NTP 4.2.5/4.2.6/4.2.7

NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.

4.3
2017-01-13 CVE-2016-6887 Matrixssl Information Exposure vulnerability in Matrixssl

The pstm_exptmod function in MatrixSSL 3.8.6 and earlier does not properly perform modular exponentiation, which might allow remote attackers to predict the secret key via a CRT attack.

4.3
2017-01-13 CVE-2017-3890 Blackberry Cross-site Scripting vulnerability in Blackberry Appliance-X and Vapp

A reflected cross-site scripting vulnerability in the BlackBerry WatchDox Server components Appliance-X, version 1.8.1 and earlier, and vAPP, versions 4.6.0 to 5.4.1, allows remote attackers to execute script commands in the context of the affected browser by persuading a user to click an attacker-supplied malicious link.

4.3
2017-01-13 CVE-2016-3130 Blackberry Information Exposure vulnerability in Blackberry Enterprise Service

An information disclosure vulnerability in the Core and Management Console in BlackBerry Enterprise Server (BES) 12 through 12.5.2 allows remote attackers to obtain local or domain credentials of an administrator or user account by sniffing traffic between the two elements during a login attempt.

4.3
2017-01-13 CVE-2016-10135 LG Information Exposure vulnerability in LG Mobile

An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices.

4.3
2017-01-12 CVE-2016-5737 Openstack Cross-site Scripting vulnerability in Openstack Puppet-Gerrit

The Gerrit configuration in the Openstack Puppet module for Gerrit (aka puppet-gerrit) improperly marks text/html as a safe mimetype, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a crafted review.

4.3
2017-01-12 CVE-2016-3150 Barco Cross-site Scripting vulnerability in Barco products

Cross-site scripting (XSS) vulnerability in wallpaper.php in the Base Unit in Barco ClickShare CSC-1 devices with firmware before 01.09.03, CSM-1 devices with firmware before 01.06.02, and CSE-200 devices with firmware before 01.03.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-01-12 CVE-2016-10027 Igniterealtime
Fedoraproject
Race Condition vulnerability in multiple products

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response.

4.3
2017-01-12 CVE-2017-0402 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in Audioserver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2017-0401 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in the Qualcomm audio post processor could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2017-0400 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in Audioserver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2017-0399 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBundle.cpp in libeffects in the Qualcomm audio post processor could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2017-0397 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in id3/ID3.cpp in libstagefright in Mediaserver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2017-0396 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in visualizer/EffectVisualizer.cpp in libeffects in Mediaserver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2017-0395 Google Privilege Escalation vulnerability in Google Android

An elevation of privilege vulnerability in Contacts could enable a local malicious application to silently create contact information.

4.3
2017-01-12 CVE-2016-8460 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8407 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8406 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8405 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8404 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8403 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8402 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8401 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8400 Linux Information Exposure vulnerability in Linux Kernel 3.18

An information disclosure vulnerability in the NVIDIA librm library (libnvrm) could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8397 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-8396 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in the MediaTek video driver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-6773 Google Information Exposure vulnerability in Google Android 6.0/6.0.1/7.0

An information disclosure vulnerability in the ih264d decoder in Mediaserver could enable a local malicious application to access data outside of its permission levels.

4.3
2017-01-12 CVE-2016-6770 Google Improper Access Control vulnerability in Google Android

An elevation of privilege vulnerability in the Framework API could enable a local malicious application to access system functions beyond its access level.

4.3
2017-01-11 CVE-2015-8020 Netapp Information Exposure vulnerability in Netapp Clustered Data Ontap 8.0/8.3.1/8.3.2

Clustered Data ONTAP versions 8.0, 8.3.1, and 8.3.2 contain a default privileged account which under certain conditions can be used for unauthorized information disclosure.

4.3
2017-01-11 CVE-2017-2947 Adobe
Apple
Microsoft
Improper Input Validation vulnerability in Adobe products

Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have a security bypass vulnerability when manipulating Form Data Format (FDF).

4.3
2017-01-10 CVE-2016-9247 F5 Improper Input Validation vulnerability in F5 products

Under certain conditions for BIG-IP systems using a virtual server with an associated FastL4 profile and TCP analytics profile, a specific sequence of packets may cause the Traffic Management Microkernel (TMM) to restart.

4.3
2017-01-10 CVE-2016-6837 Mantisbt Cross-site Scripting vulnerability in Mantisbt

Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.0-beta1 allows remote attackers to inject arbitrary web script or HTML via the 'view_type' parameter.

4.3
2017-01-10 CVE-2015-4591 Eclinicalworks Cross-site Scripting vulnerability in Eclinicalworks Population Health

eClinicalWorks Population Health (CCMR) suffers from a cross site scripting vulnerability in login.jsp which allows remote unauthenticated users to inject arbitrary javascript via the strMessage parameter.

4.3
2017-01-09 CVE-2016-8106 Intel
HP
Lenovo
Improper Input Validation vulnerability in multiple products

A Denial of Service in Intel Ethernet Controller's X710/XL710 with Non-Volatile Memory Images before version 5.05 allows a remote attacker to stop the controller from processing network traffic working under certain network use conditions.

4.3
2017-01-09 CVE-2017-5216 Netop Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Netop Remote Control

Stack-based buffer overflow vulnerability in Netop Remote Control versions 11.53, 12.21 and prior.

4.3

24 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-01-15 CVE-2017-2584 Linux Use After Free vulnerability in Linux Kernel

arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt.

3.6
2017-01-15 CVE-2017-5494 B2Evolution Cross-site Scripting vulnerability in B2Evolution

Multiple cross-site scripting (XSS) vulnerabilities in the file types table in b2evolution through 6.8.3 allow remote authenticated users to inject arbitrary web script or HTML via a .swf file in a (1) comment frame or (2) avatar frame.

3.5
2017-01-11 CVE-2016-4807 Web2Py Cross-site Scripting vulnerability in Web2Py

Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).

3.5
2017-01-13 CVE-2016-7428 NTP Resource Exhaustion vulnerability in NTP 4.2.8

ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.

3.3
2017-01-13 CVE-2016-7427 NTP Resource Exhaustion vulnerability in NTP 4.2.8

The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.

3.3
2017-01-12 CVE-2016-8475 Linux Information Exposure vulnerability in Linux Kernel 3.18

An information disclosure vulnerability in the HTC input driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8474 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8473 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the STMicroelectronics driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8472 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in the MediaTek driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8471 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in the MediaTek driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8470 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in the MediaTek driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8469 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the camera driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8410 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8409 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-8408 Linux Information Exposure vulnerability in Linux Kernel 3.10

An information disclosure vulnerability in the NVIDIA video driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-6774 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in Package Manager could enable a local malicious application to bypass operating system protections that isolate application data from other applications.

2.6
2017-01-12 CVE-2016-6757 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-12 CVE-2016-6756 Linux Information Exposure vulnerability in Linux Kernel 3.10/3.18

An information disclosure vulnerability in Qualcomm components including the camera driver and video driver could enable a local malicious application to access data outside of its permission levels.

2.6
2017-01-11 CVE-2016-9015 Python Improper Certificate Validation vulnerability in Python Urllib3 1.17/1.18

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates.

2.6
2017-01-12 CVE-2017-0388 Google Information Exposure vulnerability in Google Android

An elevation of privilege vulnerability in the External Storage Provider could enable a local secondary user to read data from an external storage SD card inserted by the primary user.

2.1
2017-01-12 CVE-2016-8462 Google Information Exposure vulnerability in Google Android

An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level.

2.1
2017-01-12 CVE-2016-8461 Linux Information Exposure vulnerability in Linux Kernel 3.18

An information disclosure vulnerability in the bootloader could enable a local attacker to access data outside of its permission level.

2.1
2017-01-12 CVE-2016-6769 Google Improper Access Control vulnerability in Google Android

An elevation of privilege vulnerability in Smart Lock could enable a local malicious user to access Smart Lock settings without a PIN.

2.1
2017-01-12 CVE-2016-8221 Lenovo Permissions, Privileges, and Access Controls vulnerability in Lenovo Xclarity Administrator

Privilege Escalation in Lenovo XClarity Administrator earlier than 1.2.0, if LXCA is used to manage rack switches or chassis with embedded input/output modules (IOMs), certain log files viewable by authenticated users may contain passwords for internal administrative LXCA accounts with temporary passwords that are used internally by LXCA code.

1.9