Weekly Vulnerabilities Reports > February 13 to 19, 2017

Overview

310 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 72 high severity vulnerabilities. This weekly summary report vulnerabilities in 403 products from 113 vendors including Google, Microsoft, Adobe, Linux, and Libdwarf Project. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Out-of-bounds Read", "Cross-site Scripting", "NULL Pointer Dereference", and "Permissions, Privileges, and Access Controls".

  • 268 reported vulnerabilities are remotely exploitables.
  • 27 reported vulnerabilities have public exploit available.
  • 75 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 286 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 35 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 12 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

17 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-02-15 CVE-2017-2996 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in Primetime SDK.

10.0
2017-02-15 CVE-2017-2993 Adobe
Apple
Google
Linux
Microsoft
USE After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable use after free vulnerability related to event handlers.

10.0
2017-02-15 CVE-2017-2992 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable heap overflow vulnerability when parsing an MP4 header.

10.0
2017-02-15 CVE-2017-2991 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in the h264 codec (related to decompression).

10.0
2017-02-15 CVE-2017-2990 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability in the h264 decompression routine.

10.0
2017-02-15 CVE-2017-2988 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable memory corruption vulnerability when performing garbage collection.

10.0
2017-02-15 CVE-2017-2987 Adobe
Apple
Google
Linux
Microsoft
Integer Overflow OR Wraparound vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable integer overflow vulnerability related to Flash Broker COM.

10.0
2017-02-15 CVE-2017-2986 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable heap overflow vulnerability in the Flash Video (FLV) codec.

10.0
2017-02-15 CVE-2017-2985 Adobe
Apple
Google
Linux
Microsoft
USE After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable use after free vulnerability in the ActionScript 3 BitmapData class.

10.0
2017-02-15 CVE-2017-2984 Adobe
Apple
Google
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable heap overflow vulnerability in the h264 decoder routine.

10.0
2017-02-15 CVE-2017-2982 Adobe
Apple
Google
Linux
Microsoft
USE After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable use after free vulnerability in a routine related to player shutdown.

10.0
2017-02-15 CVE-2017-2973 Adobe Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable heap overflow vulnerability.

10.0
2017-02-13 CVE-2017-5162 Binom3 Missing Authentication FOR Critical Function vulnerability in Binom3 Universal Multifunctional Electric Power Quality Meter Firmware

An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter.

10.0
2017-02-13 CVE-2016-9369 Moxa Improper Authentication vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

10.0
2017-02-13 CVE-2016-8364 Ibhsoftec Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ibhsoftec S7-Softplc

An issue was discovered in IBHsoftec S7-SoftPLC prior to 4.12b.

10.0
2017-02-13 CVE-2017-5161 Sielcosistemi Uncontrolled Search Path Element vulnerability in Sielcosistemi Winlog Lite and Winlog PRO

An issue was discovered in Sielco Sistemi Winlog Lite SCADA Software, versions prior to Version 3.02.01, and Winlog Pro SCADA Software, versions prior to Version 3.02.01.

9.3
2017-02-13 CVE-2016-8355 Smiths Medical Missing Authentication FOR Critical Function vulnerability in Smiths-Medical Cadd-Solis Medication Safety Software

An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1.

9.0

72 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-02-17 CVE-2016-9814 Simplesamlphp Resource Management Errors vulnerability in Simplesamlphp Saml2 and Simplesamlphp

The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

8.5
2017-02-15 CVE-2016-9706 IBM XXE vulnerability in IBM Integration BUS and Websphere Message Broker

IBM Integration Bus 9.0 and 10.0 and WebSphere Message Broker SOAP FLOWS is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.

8.5
2017-02-17 CVE-2017-6014 Wireshark
Debian
Infinite Loop vulnerability in multiple products

In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion.

7.8
2017-02-14 CVE-2017-5972 Linux Resource Exhaustion vulnerability in Linux Kernel

The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7.

7.8
2017-02-13 CVE-2016-9367 Moxa Resource Exhaustion vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

7.8
2017-02-13 CVE-2016-9332 Moxa Resource Management Errors vulnerability in Moxa Softcms 1.2/1.3/1.4

An issue was discovered in Moxa SoftCMS versions prior to Version 1.6.

7.8
2017-02-13 CVE-2016-8374 Schneider Electric Resource Exhaustion vulnerability in Schneider Electric products

An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe).

7.8
2017-02-13 CVE-2016-7987 Siemens Data Processing Errors vulnerability in Siemens Eta2 Firmware and Eta4 Firmware

An issue was discovered in Siemens ETA4 firmware (all versions prior to Revision 08) of the SM-2558 extension module for: SICAM AK, SICAM TM 1703, SICAM BC 1703, and SICAM AK 3.

7.8
2017-02-18 CVE-2017-6001 Linux Race Condition vulnerability in Linux Kernel

Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context.

7.6
2017-02-17 CVE-2016-6875 Facebook Unspecified vulnerability in Facebook Hhvm

Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

7.5
2017-02-17 CVE-2016-6874 Facebook Unspecified vulnerability in Facebook Hhvm

The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion.

7.5
2017-02-17 CVE-2016-6873 Facebook Unspecified vulnerability in Facebook Hhvm

Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

7.5
2017-02-17 CVE-2016-6872 Facebook Integer Overflow OR Wraparound vulnerability in Facebook Hhvm

Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

7.5
2017-02-17 CVE-2016-6871 Facebook Integer Overflow OR Wraparound vulnerability in Facebook Hhvm

Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow.

7.5
2017-02-17 CVE-2016-6870 Facebook Out-Of-Bounds Write vulnerability in Facebook Hhvm

Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors.

7.5
2017-02-17 CVE-2017-5344 Dotcms SQL Injection vulnerability in Dotcms

An issue was discovered in dotCMS through 3.6.1.

7.5
2017-02-17 CVE-2016-6233 Fedoraproject
Zend
SQL Injection vulnerability in multiple products

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.

7.5
2017-02-17 CVE-2016-4861 Fedoraproject
Zend
SQL Injection vulnerability in multiple products

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.

7.5
2017-02-17 CVE-2016-10134 Zabbix SQL Injection vulnerability in Zabbix

SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.

7.5
2017-02-15 CVE-2016-3694 Modified SQL Injection vulnerability in Modified Ecommerce Shopsoftware 2.0.0.0

Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status parameter to api/easybill/easybillcsv.php.

7.5
2017-02-15 CVE-2016-0360 IBM Deserialization of Untrusted Data vulnerability in IBM Websphere MQ JMS

IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.

7.5
2017-02-15 CVE-2013-7459 Dlitz
Fedoraproject
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.

7.5
2017-02-15 CVE-2017-2968 Adobe Code Injection vulnerability in Adobe Campaign 16.4

Adobe Campaign versions 16.4 Build 8724 and earlier have a code injection vulnerability.

7.5
2017-02-13 CVE-2017-5167 Binom3 USE of Hard-Coded Credentials vulnerability in Binom3 Universal Multifunctional Electric Power Quality Meter Firmware

An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter.

7.5
2017-02-13 CVE-2017-5159 Phoenix Contact Resource Injection vulnerability in Phoenix Contact Mguard 8.4.0

An issue was discovered on Phoenix Contact mGuard devices that have been updated to Version 8.4.0.

7.5
2017-02-13 CVE-2017-5155 Schneider Electric Insecure Default Initialization of Resource vulnerability in Schneider-Electric Wonderware Historian 2014R2Sp1P01

An issue was discovered in Schneider Electric Wonderware Historian 2014 R2 SP1 P01 and earlier.

7.5
2017-02-13 CVE-2017-5154 Advantech SQL Injection vulnerability in Advantech Webaccess 8.1

An issue was discovered in Advantech WebAccess Version 8.1.

7.5
2017-02-13 CVE-2017-5151 Videoinsight SQL Injection vulnerability in Videoinsight web Client

An issue was discovered in VideoInsight Web Client Version 6.3.5.11 and previous versions.

7.5
2017-02-13 CVE-2017-5145 Carlosgavazzi Cross-Site Request Forgery (CSRF) vulnerability in Carlosgavazzi Vmu-C EM Firmware and Vmu-C PV Firmware

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17.

7.5
2017-02-13 CVE-2017-5144 Carlosgavazzi Multiple Security vulnerability in Multiple Carlo Gavazzi Products ICSA-17-012-03

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17.

7.5
2017-02-13 CVE-2017-5143 Honeywell Path Traversal vulnerability in Honeywell XL web II Controller Xlwebexe10208/Xlwebexe20100

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.

7.5
2017-02-13 CVE-2016-9363 Moxa Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

7.5
2017-02-13 CVE-2016-9361 Moxa Improper Authentication vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

7.5
2017-02-13 CVE-2016-9343 Rockwell Automation Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Rockwell Automation products

An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected).

7.5
2017-02-13 CVE-2016-9333 Moxa SQL Injection vulnerability in Moxa Softcms 1.2/1.3/1.4

An issue was discovered in Moxa SoftCMS versions prior to Version 1.6.

7.5
2017-02-13 CVE-2016-8567 Siemens USE of Hard-Coded Credentials vulnerability in Siemens Sicam PAS

An issue was discovered in Siemens SICAM PAS before 8.00.

7.5
2017-02-13 CVE-2016-8363 Moxa Permissions, Privileges, and Access Controls vulnerability in Moxa products

An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series.

7.5
2017-02-13 CVE-2016-8361 Lynxspring USE of Hard-Coded Credentials vulnerability in Lynxspring Jenesys BAS Bridge

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older.

7.5
2017-02-13 CVE-2016-8352 Schneider Electric Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Schneider-Electric Connexium Firmware

An issue was discovered in Schneider Electric ConneXium firewalls TCSEFEC23F3F20 all versions, TCSEFEC23F3F21 all versions, TCSEFEC23FCF20 all versions, TCSEFEC23FCF21 all versions, and TCSEFEC2CF3F20 all versions.

7.5
2017-02-13 CVE-2016-8348 Emerson XXE vulnerability in Emerson Liebert Sitescan web

An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior.

7.5
2017-02-13 CVE-2016-8341 Ecava SQL Injection vulnerability in Ecava Integraxor 5.0.413.0

An issue was discovered in Ecava IntegraXor Version 5.0.413.0.

7.5
2017-02-13 CVE-2016-5818 Schneider Electric USE of Hard-Coded Credentials vulnerability in Schneider-Electric Powerlogic Pm8Ecc Firmware 2.651

An issue was discovered in Schneider Electric PowerLogic PM8ECC device 2.651 and older.

7.5
2017-02-13 CVE-2016-5815 Schneider Electric Improper Access Control vulnerability in Schneider-Electric products

An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series.

7.5
2017-02-13 CVE-2016-5803 CA Technologies Path Traversal vulnerability in CA Technologies Unified Infrastructure Management

An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier.

7.5
2017-02-13 CVE-2016-5782 Locusenergy Improper Input Validation vulnerability in Locusenergy Lgate Firmware

An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate 100, LGate 101, LGate 120, and LGate 320.

7.5
2017-02-13 CVE-2016-8859 Etalabs Integer Overflow OR Wraparound vulnerability in Etalabs Musl

Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write.

7.5
2017-02-13 CVE-2016-7565 Exponentcms Improper Access Control vulnerability in Exponentcms Exponent CMS 2.3.9

install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter.

7.5
2017-02-13 CVE-2016-2788 Puppet Improper Access Control vulnerability in Puppet Marionette Collective and Puppet

MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

7.5
2017-02-13 CVE-2015-8771 Gosa Project Code Injection vulnerability in Gosa Project Gosa Plugin

The generate_smb_nt_hash function in include/functions.inc in GOsa allows remote attackers to execute arbitrary commands via a crafted password.

7.5
2017-02-13 CVE-2015-8768 Click Project
Canonical
Permissions, Privileges, and Access Controls vulnerability in multiple products

click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.

7.5
2017-02-18 CVE-2017-6074 Linux Double Free vulnerability in Linux Kernel

The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call.

7.2
2017-02-15 CVE-2017-0324 Nvidia
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the size of an input buffer is not validated, leading to denial of service or potential escalation of privileges.

7.2
2017-02-15 CVE-2017-0323 Nvidia
Microsoft
Null Pointer Dereference vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler where a NULL pointer dereference caused by invalid user input may lead to denial of service or potential escalation of privileges.

7.2
2017-02-15 CVE-2017-0322 Nvidia
Microsoft
Improper Validation of Array Index vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler where a value passed from a user to the driver is not correctly validated and used as the index to an array, leading to denial of service or potential escalation of privileges.

7.2
2017-02-15 CVE-2017-0321 Nvidia
Freebsd
Linux
Microsoft
Oracle
Null Pointer Dereference vulnerability in Nvidia GPU Driver

All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where a NULL pointer dereference caused by invalid user input may lead to denial of service or potential escalation of privileges.

7.2
2017-02-15 CVE-2017-0315 Nvidia
Microsoft
Null Pointer Dereference vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where an attempt to access an invalid object pointer may lead to denial of service or potential escalation of privileges.

7.2
2017-02-15 CVE-2017-0314 Nvidia
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) implementation of the SubmitCommandVirtual DDI (DxgkDdiSubmitCommandVirtual) where untrusted input is used to reference memory outside of the intended boundary of the buffer leading to denial of service or escalation of privileges.

7.2
2017-02-15 CVE-2017-0313 Nvidia
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) implementation of the SubmitCommandVirtual DDI (DxgkDdiSubmitCommandVirtual) where untrusted input is used to reference memory outside of the intended boundary of the buffer leading to denial of service or escalation of privileges.

7.2
2017-02-15 CVE-2017-0312 Nvidia
Microsoft
Improper Input Validation vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscapeID 0x100008b where user provided input is used as the limit for a loop may lead to denial of service or potential escalation of privileges

7.2
2017-02-15 CVE-2017-0311 Nvidia
Freebsd
Linux
Microsoft
Oracle
Incorrect Permission Assignment FOR Critical Resource vulnerability in Nvidia GPU Driver

NVIDIA GPU Display Driver R378 contains a vulnerability in the kernel mode layer handler where improper access control may lead to denial of service or possible escalation of privileges.

7.2
2017-02-15 CVE-2017-0309 Nvidia
Freebsd
Linux
Microsoft
Oracle
Integer Overflow OR Wraparound vulnerability in Nvidia GPU Driver

All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where multiple integer overflows may cause improper memory allocation leading to a denial of service or potential escalation of privileges.

7.2
2017-02-15 CVE-2017-0308 Nvidia
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where untrusted input is used for buffer size calculation leading to denial of service or escalation of privileges.

7.2
2017-02-15 CVE-2016-8972 IBM Permissions, Privileges, and Access Controls vulnerability in IBM AIX and Vios

IBM AIX 6.1, 7.1, and 7.2 could allow a local user to gain root privileges using a specially crafted command within the bellmail client.

7.2
2017-02-15 CVE-2016-6079 IBM Permissions, Privileges, and Access Controls vulnerability in IBM AIX and Vios

IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges.

7.2
2017-02-15 CVE-2016-1889 Freebsd Integer Overflow OR Wraparound vulnerability in Freebsd

Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor.

7.2
2017-02-15 CVE-2016-1883 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.1/10.2/9.3

The issetugid system call in the Linux compatibility layer in FreeBSD 9.3, 10.1, and 10.2 allows local users to gain privilege via unspecified vectors.

7.2
2017-02-15 CVE-2016-1881 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.1/10.2/9.3

The kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to cause a denial of service (crash) or potentially gain privilege via a crafted Linux compatibility layer setgroups system call.

7.2
2017-02-15 CVE-2016-1880 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd 10.1/10.2/9.3

The Linux compatibility layer in the kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to read portions of kernel memory and potentially gain privilege via unspecified vectors, related to "handling of Linux futex robust lists."

7.2
2017-02-15 CVE-2016-10089 Nagios Permissions, Privileges, and Access Controls vulnerability in Nagios

Nagios 4.3.2 and earlier allows local users to gain root privileges via a hard link attack on the Nagios init script file, related to CVE-2016-8641.

7.2
2017-02-13 CVE-2016-9353 Advantech Permissions, Privileges, and Access Controls vulnerability in Advantech Susiaccess

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior.

7.2
2017-02-18 CVE-2017-5986 Linux Reachable Assertion vulnerability in Linux Kernel

Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state.

7.1
2017-02-13 CVE-2016-9354 Moxa Resource Management Errors vulnerability in Moxa Dacenter

An issue was discovered in Moxa DACenter Versions 1.4 and older.

7.1

207 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-02-15 CVE-2017-0317 Nvidia
Microsoft
Incorrect Permission Assignment FOR Critical Resource vulnerability in Nvidia GPU Driver

All versions of NVIDIA GPU and GeForce Experience installer contain a vulnerability where it fails to set proper permissions on the package extraction path thus allowing a non-privileged user to tamper with the extracted files, potentially leading to escalation of privileges via code execution.

6.9
2017-02-13 CVE-2016-8659 Bubblewrap Project Permissions, Privileges, and Access Controls vulnerability in Bubblewrap Project Bubblewrap

Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might allow local users to gain privileges by attaching to the process, as demonstrated by sending commands to a PrivSep socket.

6.9
2017-02-17 CVE-2017-6055 Eparaksts XXE vulnerability in Eparaksts Eparakstitajs 3

XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file.

6.8
2017-02-17 CVE-2017-5019 Google USE After Free vulnerability in Google Chrome

A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2017-02-17 CVE-2017-5014 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Heap buffer overflow during image processing in Skia in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

6.8
2017-02-17 CVE-2017-5012 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

A heap buffer overflow in V8 in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2017-02-17 CVE-2017-5009 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

WebRTC in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

6.8
2017-02-17 CVE-2016-9831 Libming Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libming

Heap-based buffer overflow in the parseSWF_RGBA function in parser.c in the listswf tool in libming 0.4.7 allows remote attackers to have unspecified impact via a crafted SWF file.

6.8
2017-02-17 CVE-2016-9829 Libming Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libming

Heap-based buffer overflow in the parseSWF_DEFINEFONT function in parser.c in the listswf tool in libming 0.4.7 allows remote attackers to have unspecified impact via a crafted SWF file.

6.8
2017-02-17 CVE-2016-4311 Wso2 Cross-Site Request Forgery (CSRF) vulnerability in Wso2 Identity Server 5.1.0

Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request.

6.8
2017-02-15 CVE-2016-8677 Imagemagick
Opensuse
Debian
Buffer Errors vulnerability in Imagemagick

The AcquireQuantumPixels function in MagickCore/quantum.c in ImageMagick before 7.0.3-1 allows remote attackers to have unspecified impact via a crafted image file, which triggers a memory allocation failure.

6.8
2017-02-15 CVE-2016-9560 Jasper Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Jasper Project Jasper

Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer 1.900.26, 1.900.27, 1.900.28, 1.900.29 and 1.900.30 allows remote attackers to have unspecified impact via a crafted image.

6.8
2017-02-15 CVE-2016-8866 Imagemagick
Opensuse
Opensuse Project
Buffer Errors vulnerability in Imagemagick

The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick 7.0.3.3 before 7.0.3.8 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure.

6.8
2017-02-15 CVE-2016-8862 Imagemagick
Debian
Buffer Errors vulnerability in Imagemagick

The AcquireMagickMemory function in MagickCore/memory.c in ImageMagick before 7.0.3.3 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure.

6.8
2017-02-15 CVE-2016-8693 Jasper Project
Opensuse
Fedoraproject
Double Free vulnerability in multiple products

Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command.

6.8
2017-02-15 CVE-2016-8684 Graphicsmagick
Opensuse
Debian
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a "file truncation error for corrupt file."

6.8
2017-02-15 CVE-2016-8683 Graphicsmagick
Opensuse
Debian
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The ReadPCXImage function in coders/pcx.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a "file truncation error for corrupt file."

6.8
2017-02-15 CVE-2016-6077 IBM Improper Access Control vulnerability in IBM Cognos Disclosure Management

IBM Cognos Disclosure Management 10.2 could allow a malicious attacker to execute commands as a lower privileged user that opens a malicious document.

6.8
2017-02-15 CVE-2016-6033 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM products

IBM Tivoli Storage Manager for Virtual Environments 7.1 (VMware) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2017-02-15 CVE-2017-2995 Adobe
Apple
Google
Linux
Microsoft
Incorrect Type Conversion OR Cast vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable type confusion vulnerability related to the MessageChannel class.

6.8
2017-02-15 CVE-2017-2994 Adobe
Apple
Google
Linux
Microsoft
USE After Free vulnerability in Adobe Flash Player

Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable use after free vulnerability in Primetime SDK event dispatch.

6.8
2017-02-13 CVE-2017-5149 ST Jude Medical Null Pointer Dereference vulnerability in ST. Jude Medical Merlin@Home Firmware

An issue was discovered in St.

6.8
2017-02-13 CVE-2017-5165 Binom3 Cross-Site Request Forgery (CSRF) vulnerability in Binom3 Universal Multifunctional Electric Power Quality Meter Firmware

An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter.

6.8
2017-02-13 CVE-2016-9365 Moxa Cross-Site Request Forgery (CSRF) vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

6.8
2017-02-13 CVE-2016-8369 Lynxspring Cross-Site Request Forgery (CSRF) vulnerability in Lynxspring Jenesys BAS Bridge

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older.

6.8
2017-02-13 CVE-2016-8360 Moxa Double Free vulnerability in Moxa Softcms 1.2/1.3/1.4

An issue was discovered in Moxa SoftCMS versions prior to Version 1.6.

6.8
2017-02-13 CVE-2016-8350 Iologik Cross-Site Request Forgery (CSRF) vulnerability in Iologik E1200 Series Firmware and E2200 Series Firmware

An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12.

6.8
2017-02-13 CVE-2016-5809 Schneider Electric Cross-Site Request Forgery (CSRF) vulnerability in Schneider-Electric products

An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series.

6.8
2017-02-13 CVE-2016-5805 Delta Electronics Buffer Errors vulnerability in Delta Electronics Ispsoft, Pmsoft and Wplsoft

An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10.

6.8
2017-02-13 CVE-2016-5802 Delta Electronics Out-Of-Bounds Write vulnerability in Delta Electronics Ispsoft, Pmsoft and Wplsoft

An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to 2.10.10.

6.8
2017-02-13 CVE-2016-5796 Fatek Buffer Errors vulnerability in Fatek Automation FV Designer and Automation PM Designer

An issue was discovered in Fatek Automation PM Designer V3 Version 2.1.2.2, and Automation FV Designer Version 1.2.8.0.

6.8
2017-02-13 CVE-2016-3616 Libjpeg Turbo
Redhat
Debian
Canonical
Null Pointer Dereference vulnerability in multiple products

The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.

6.8
2017-02-17 CVE-2017-6065 Metalgenix SQL Injection vulnerability in Metalgenix Genixcms

SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter.

6.5
2017-02-13 CVE-2017-5142 Honeywell Improper Privilege Management vulnerability in Honeywell XL web II Controller Xlwebexe10208/Xlwebexe20100

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.

6.5
2017-02-13 CVE-2017-5141 Honeywell Session Fixation vulnerability in Honeywell XL web II Controller Xlwebexe10208/Xlwebexe20100

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.

6.5
2017-02-13 CVE-2016-10224 Sauter 7PK - Security Features vulnerability in Sauter Novaweb web HMI

An issue was discovered in Sauter NovaWeb web HMI.

6.5
2017-02-13 CVE-2017-5152 Advantech Improper Authentication vulnerability in Advantech Webaccess 8.1

An issue was discovered in Advantech WebAccess Version 8.1.

6.4
2017-02-13 CVE-2016-9362 Wago Improper Authentication vulnerability in Wago products

An issue was discovered in WAGO 750-8202/PFC200 prior to FW04 (released August 2015), WAGO 750-881 prior to FW09 (released August 2016), and WAGO 0758-0874-0000-0111.

6.4
2017-02-17 CVE-2016-4312 Wso2 XXE vulnerability in Wso2 Identity Server 5.1.0

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp.

6.0
2017-02-13 CVE-2016-8358 Smiths Medical Origin Validation Error vulnerability in Smiths-Medical Cadd-Solis Medication Safety Software

An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1.

6.0
2017-02-13 CVE-2016-9351 Advantech Path Traversal vulnerability in Advantech Susiaccess

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior.

6.0
2017-02-13 CVE-2016-8377 Fatek Automation Buffer Errors vulnerability in Fatek Automation PLC Winproladder Firmware 3.11

An issue was discovered in Fatek Automation PLC WinProladder Version 3.11 Build 14701.

6.0
2017-02-15 CVE-2017-5992 Python XXE vulnerability in Python Openpyxl 2.4.1

Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document.

5.8
2017-02-13 CVE-2016-8376 Kabona AB Open Redirect vulnerability in Kabona AB Webdatorcentral

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0.

5.8
2017-02-13 CVE-2016-8495 Fortinet Information Exposure vulnerability in Fortinet Fortimanager Firmware

An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 allows remote attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack via the Fortisandbox devices probing feature.

5.8
2017-02-13 CVE-2016-8357 Lynxspring Permissions, Privileges, and Access Controls vulnerability in Lynxspring Jenesys BAS Bridge

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older.

5.5
2017-02-13 CVE-2016-8353 Osisoft Permissions, Privileges, and Access Controls vulnerability in Osisoft PI web API 2015 R2 1.5.1

An issue was discovered in OSIsoft PI Web API 2015 R2 (Version 1.5.1).

5.5
2017-02-13 CVE-2016-9347 Emerson 7PK - Security Features vulnerability in Emerson products

An issue was discovered in Emerson SE4801T0X Redundant Wireless I/O Card V13.3, and SE4801T1X Simplex Wireless I/O Card V13.3.

5.4
2017-02-13 CVE-2017-5169 Hanwha Techwin Cross-Site Request Forgery (CSRF) vulnerability in Hanwha Techwin Smart Security Manager

An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior.

5.1
2017-02-13 CVE-2017-5168 Hanwha Techwin Path Traversal vulnerability in Hanwha Techwin Smart Security Manager

An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior.

5.1
2017-02-13 CVE-2016-8354 Schneider Electric Code Injection vulnerability in Schneider-Electric Unity PRO 11.0/6.0/7.0

An issue was discovered in Schneider Electric Unity PRO prior to V11.1.

5.1
2017-02-17 CVE-2016-5044 Libdwarf Project Out-Of-Bounds Write vulnerability in Libdwarf Project Libdwarf

The WRITE_UNALIGNED function in dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted DWARF section.

5.0
2017-02-17 CVE-2016-5043 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The dwarf_dealloc function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted DWARF section.

5.0
2017-02-17 CVE-2016-5042 Libdwarf Project Resource Management Errors vulnerability in Libdwarf Project Libdwarf

The dwarf_get_aranges_list function in libdwarf before 20160923 allows remote attackers to cause a denial of service (infinite loop and crash) via a crafted DWARF section.

5.0
2017-02-17 CVE-2016-5039 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The get_attr_value function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted object with all-bits on.

5.0
2017-02-17 CVE-2016-5038 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The dwarf_get_macro_startend_file function in dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted string offset for .debug_str.

5.0
2017-02-17 CVE-2016-5036 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The dump_block function in print_sections.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted frame data.

5.0
2017-02-17 CVE-2017-6056 Canonical
Debian
Infinite Loop vulnerability in multiple products

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.

5.0
2017-02-17 CVE-2017-5357 Fedoraproject
GNU
USE After Free vulnerability in multiple products

regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of service (crash) via a malformed command, which triggers an invalid free.

5.0
2017-02-17 CVE-2016-5417 GNU Resource Management Errors vulnerability in GNU Glibc

Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.

5.0
2017-02-16 CVE-2016-5919 IBM Inadequate Encryption Strength vulnerability in IBM products

IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

5.0
2017-02-16 CVE-2017-6004 Pcre Out-Of-Bounds Read vulnerability in Pcre

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

5.0
2017-02-15 CVE-2017-5997 SAP Missing Release of Resource After Effective Lifetime vulnerability in SAP Kernel 7.21/7.22/7.42

The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972.

5.0
2017-02-15 CVE-2016-8689 Libarchive
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

The read_Header function in archive_read_support_format_7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service (out-of-bounds read) via multiple EmptyStream attributes in a header in a 7zip archive.

5.0
2017-02-15 CVE-2016-8687 Libarchive
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the safe_fprintf function in tar/util.c in libarchive 3.2.1 allows remote attackers to cause a denial of service via a crafted non-printable multibyte character in a filename.

5.0
2017-02-15 CVE-2016-8682 Graphicsmagick
Opensuse
Debian
Out-Of-Bounds Read vulnerability in multiple products

The ReadSCTImage function in coders/sct.c in GraphicsMagick 1.3.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted SCT header.

5.0
2017-02-15 CVE-2016-6866 Suckless
Fedoraproject
Null Pointer Dereference vulnerability in multiple products

slock allows attackers to bypass the screen lock via vectors involving an invalid password hash, which triggers a NULL pointer dereference and crash.

5.0
2017-02-15 CVE-2016-1888 Freebsd Improper Authentication vulnerability in Freebsd

The telnetd service in FreeBSD 9.3, 10.1, 10.2, 10.3, and 11.0 allows remote attackers to inject arguments to login and bypass authentication via vectors involving a "sequence of memory allocation failures."

5.0
2017-02-15 CVE-2015-8979 Debian
Dicom
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a long string sent to TCP port 4242.

5.0
2017-02-15 CVE-2017-5991 Artifex Null Pointer Dereference vulnerability in Artifex Mupdf

An issue was discovered in Artifex Software, Inc.

5.0
2017-02-15 CVE-2017-2981 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2980 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2979 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2978 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2977 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2976 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2975 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-15 CVE-2017-2974 Adobe Out-Of-Bounds Read vulnerability in Adobe Digital Editions

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability.

5.0
2017-02-14 CVE-2017-5970 Linux Null Pointer Dereference vulnerability in Linux Kernel

The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel through 4.9.9 allows attackers to cause a denial of service (system crash) via (1) an application that makes crafted system calls or possibly (2) IPv4 traffic with invalid IP options.

5.0
2017-02-13 CVE-2017-5166 Binom3 Information Exposure vulnerability in Binom3 Universal Multifunctional Electric Power Quality Meter Firmware

An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter.

5.0
2017-02-13 CVE-2017-5146 Carlosgavazzi Information Exposure vulnerability in Carlosgavazzi Vmu-C EM Firmware and Vmu-C PV Firmware

An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17.

5.0
2017-02-13 CVE-2017-5140 Honeywell Insufficiently Protected Credentials vulnerability in Honeywell XL web II Controller Xlwebexe10208/Xlwebexe20100

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.

5.0
2017-02-13 CVE-2017-5139 Honeywell Insufficiently Protected Credentials vulnerability in Honeywell XL web II Controller Xlwebexe10208/Xlwebexe20100

An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior.

5.0
2017-02-13 CVE-2016-9366 Moxa Permissions, Privileges, and Access Controls vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

5.0
2017-02-13 CVE-2016-9364 Fidelex Path Traversal vulnerability in Fidelex Fx-2030A-Basic Firmware and Fx-2030A Firmware

An issue was discovered in Fidelix FX-20 series controllers, versions prior to 11.50.19.

5.0
2017-02-13 CVE-2016-9357 Eaton Path Traversal vulnerability in Eaton products

An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014.

5.0
2017-02-13 CVE-2016-9349 Advantech Information Exposure vulnerability in Advantech Susiaccess

An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior.

5.0
2017-02-13 CVE-2016-9346 Moxa Cryptographic Issues vulnerability in Moxa products

An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 versions prior to 1.4, and E3 versions prior to 1.1.

5.0
2017-02-13 CVE-2016-9344 Moxa Information Exposure Through LOG Files vulnerability in Moxa products

An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 versions prior to 1.4, and E3 versions prior to 1.1.

5.0
2017-02-13 CVE-2016-9339 Interschalt Maritime Systems Path Traversal vulnerability in Interschalt Maritime Systems VDR G4E Firmware

An issue was discovered in INTERSCHALT Maritime Systems VDR G4e Versions 5.220 and prior.

5.0
2017-02-13 CVE-2016-9334 Rockwellautomation Multiple Security vulnerability in Rockwell Automation MicroLogix 1100 and 1400

An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions.

5.0
2017-02-13 CVE-2016-8378 Lynxspring Credentials Management vulnerability in Lynxspring Jenesys BAS Bridge

An issue was discovered in Lynxspring JENEsys BAS Bridge versions 1.1.8 and older.

5.0
2017-02-13 CVE-2016-8370 Mitsubishi Electric USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Mitsubishi Electric products

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions.

5.0
2017-02-13 CVE-2016-8368 Mitsubishi Electric Resource Management Errors vulnerability in Mitsubishi Electric products

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions.

5.0
2017-02-13 CVE-2016-8367 Schneider Electric Resource Exhaustion vulnerability in Schneider Electric products

An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe).

5.0
2017-02-13 CVE-2016-8347 Kabona AB Improper Authentication vulnerability in Kabona AB Webdatorcentral

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0.

5.0
2017-02-13 CVE-2016-8346 Moxa Information Exposure Through LOG Files vulnerability in Moxa Edr-810 Firmware

An issue was discovered in Moxa EDR-810 Industrial Secure Router.

5.0
2017-02-13 CVE-2016-5813 Visonic Information Exposure vulnerability in Visonic Powerlink2 Firmware

An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release.

5.0
2017-02-13 CVE-2016-5801 Omnimetrix Improper Access Control vulnerability in Omnimetrix Omniview 1.2

An issue was discovered in OmniMetrix OmniView, Version 1.2.

5.0
2017-02-13 CVE-2016-5798 Fatek Buffer Errors vulnerability in Fatek Automation FV Designer and Automation PM Designer

An issue was discovered in Fatek Automation PM Designer V3 Version 2.1.2.2, and Automation FV Designer Version 1.2.8.0.

5.0
2017-02-13 CVE-2016-5786 Omnimetrix Information Exposure vulnerability in Omnimetrix Omniview 1.2

An issue was discovered in OmniMetrix OmniView, Version 1.2.

5.0
2017-02-13 CVE-2016-6129 OP TEE
Libtom
Improper Input Validation vulnerability in multiple products

The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack.

5.0
2017-02-13 CVE-2016-5100 Froxlor USE of Insufficiently Random Values vulnerability in Froxlor

Froxlor before 0.9.35 uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value.

5.0
2017-02-13 CVE-2016-4547 Samsung Improper Input Validation vulnerability in Samsung Mobile

Samsung devices with Android KK(4.4), L(5.0/5.1), or M(6.0) allow attackers to cause a denial of service (system crash) via a crafted system call to TvoutService_C.

5.0
2017-02-13 CVE-2016-3995 Cryptopp Information Exposure vulnerability in Cryptopp Crypto++

The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock in Crypto++ (aka cryptopp) before 5.6.4 may be optimized out by the compiler, which allows attackers to conduct timing attacks.

5.0
2017-02-13 CVE-2016-2787 Puppet
Puppetlabs
Improper Access Control vulnerability in multiple products

The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors.

5.0
2017-02-13 CVE-2016-10026 Ikiwiki Improper Access Control vulnerability in Ikiwiki 3.20161219

ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made.

5.0
2017-02-15 CVE-2017-0320 Nvidia
Microsoft
Unspecified vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper handling of values may cause a denial of service on the system.

4.9
2017-02-15 CVE-2017-0319 Nvidia
Microsoft
Unspecified vulnerability in Nvidia GPU Driver

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper handling of values may cause a denial of service on the system.

4.9
2017-02-15 CVE-2017-0318 Nvidia
Freebsd
Microsoft
Oracle
Improper Input Validation vulnerability in Nvidia GPU Driver

All versions of NVIDIA Linux GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper validation of an input parameter may cause a denial of service on the system.

4.9
2017-02-15 CVE-2017-0310 Nvidia
Freebsd
Linux
Microsoft
Oracle
Improper Privilege Management vulnerability in Nvidia GPU Driver

All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper access controls allowing unprivileged user to cause a denial of service.

4.9
2017-02-15 CVE-2016-8944 IBM Improper Input Validation vulnerability in IBM AIX 7.1/7.2

IBM AIX 7.1 and 7.2 allows a local user to open a file with a specially crafted argument that would crash the system.

4.9
2017-02-13 CVE-2016-9345 Emerson Permissions, Privileges, and Access Controls vulnerability in Emerson Deltav 12.3/12.3.1/13.3

An issue was discovered in Emerson DeltaV Easy Security Management DeltaV V12.3, DeltaV V12.3.1, and DeltaV V13.3.

4.9
2017-02-17 CVE-2016-6252 Shadow Project Integer Overflow OR Wraparound vulnerability in Shadow Project Shadow 4.2.1

Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap.

4.6
2017-02-15 CVE-2017-3801 Cisco Incorrect Authorization vulnerability in Cisco Unified Computing System Director 6.0.0.0/6.0.0.1

A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability.

4.6
2017-02-13 CVE-2016-9356 Moxa Improper Access Control vulnerability in Moxa Dacenter

An issue was discovered in Moxa DACenter Versions 1.4 and older.

4.6
2017-02-13 CVE-2016-8566 Siemens Credentials Management vulnerability in Siemens Sicam PAS

An issue was discovered in Siemens SICAM PAS before 8.00.

4.6
2017-02-13 CVE-2016-9360 General Electric Information Exposure vulnerability in General Electric Cimplicity, Historian and Ifix

An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions.

4.4
2017-02-13 CVE-2016-2568 Freedesktop Improper Encoding OR Escaping of Output vulnerability in Freedesktop Polkit

pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

4.4
2017-02-17 CVE-2016-7511 Libdwarf Project Integer Overflow OR Wraparound vulnerability in Libdwarf Project Libdwarf 20160613

Integer overflow in the dwarf_die_deliv.c in libdwarf 20160613 allows remote attackers to cause a denial of service (crash) via a crafted file.

4.3
2017-02-17 CVE-2016-7510 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The read_line_table_program function in dwarf_line_table_reader_common.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted input.

4.3
2017-02-17 CVE-2016-6191 Inverse Cross-Site Scripting vulnerability in Inverse Sogo

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field.

4.3
2017-02-17 CVE-2016-5364 Mantisbt Cross-Site Scripting vulnerability in Mantisbt

Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter.

4.3
2017-02-17 CVE-2016-5040 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a large length value in a compilation unit header.

4.3
2017-02-17 CVE-2016-5037 Libdwarf Project Null Pointer Dereference vulnerability in Libdwarf Project Libdwarf

The _dwarf_load_section function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.

4.3
2017-02-17 CVE-2016-5035 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The _dwarf_read_line_table_header function in dwarf_line_table_reader.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file.

4.3
2017-02-17 CVE-2016-5034 Libdwarf Project Out-Of-Bounds Write vulnerability in Libdwarf Project Libdwarf

dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file, related to relocation records.

4.3
2017-02-17 CVE-2016-5033 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The print_exprloc_content function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file.

4.3
2017-02-17 CVE-2016-5032 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The dwarf_get_xu_hash_entry function in libdwarf before 20160923 allows remote attackers to cause a denial of service (crash) via a crafted file.

4.3
2017-02-17 CVE-2016-5031 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file.

4.3
2017-02-17 CVE-2016-5030 Libdwarf Project Null Pointer Dereference vulnerability in Libdwarf Project Libdwarf

The _dwarf_calculate_info_section_end_ptr function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.

4.3
2017-02-17 CVE-2016-5029 Libdwarf Project Null Pointer Dereference vulnerability in Libdwarf Project Libdwarf

The create_fullest_file_path function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted dwarf file.

4.3
2017-02-17 CVE-2016-5028 Libdwarf Project Null Pointer Dereference vulnerability in Libdwarf Project Libdwarf

The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via an object file with empty bss-like sections.

4.3
2017-02-17 CVE-2014-9905 Inverse Cross-Site Scripting vulnerability in Inverse Sogo

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.

4.3
2017-02-17 CVE-2017-5027 Google Unspecified vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to properly enforce unsafe-inline content security policy, which allowed a remote attacker to bypass content security policy via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5026 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Chrome

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to prevent alerts from being displayed by swapped out frames, which allowed a remote attacker to show alerts on a page they don't control via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5025 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file.

4.3
2017-02-17 CVE-2017-5024 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file.

4.3
2017-02-17 CVE-2017-5023 Google Null Pointer Dereference vulnerability in Google Chrome

Type confusion in Histogram in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to potentially exploit a near null dereference via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5022 Google Multiple Security vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to properly enforce unsafe-inline content security policy, which allowed a remote attacker to bypass content security policy via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5021 Google USE After Free vulnerability in Google Chrome

A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5020 Google Cross-Site Scripting vulnerability in Google Chrome

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to require a user gesture for powerful download operations, which allowed a remote attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5018 Google Cross-Site Scripting vulnerability in Google Chrome

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5017 Google Information Exposure vulnerability in Google Chrome

Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Mac insufficiently cleared video memory, which allowed a remote attacker to possibly extract image fragments on systems with GeForce 8600M graphics chips via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5016 Google Improper Restriction of Rendered UI Layers OR Frames vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5015 Google Multiple Security vulnerability in Google Chrome

Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled Unicode glyphs, which allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.

4.3
2017-02-17 CVE-2017-5013 Google Multiple Security vulnerability in Google Chrome

Google Chrome prior to 56.0.2924.76 for Linux incorrectly handled new tab page navigations in non-selected tabs, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5011 Google Information Exposure vulnerability in Google Chrome

Google Chrome prior to 56.0.2924.76 for Windows insufficiently sanitized DevTools URLs, which allowed a remote attacker who convinced a user to install a malicious extension to read filesystem contents via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5010 Google Cross-Site Scripting vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, resolved promises in an inappropriate context, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5008 Google Cross-Site Scripting vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed attacker controlled JavaScript to be run during the invocation of a private script method, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5007 Google Cross-Site Scripting vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled the sequence of events when closing a page, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

4.3
2017-02-17 CVE-2017-5006 Google Cross-Site Scripting vulnerability in Google Chrome

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, incorrectly handled object owner relationships, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.

4.3
2017-02-17 CVE-2016-9828 Libming Null Pointer Dereference vulnerability in Libming

The dumpBuffer function in read.c in the listswf tool in libming 0.4.7 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted SWF file.

4.3
2017-02-17 CVE-2016-9827 Libming Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libming

The _iprintf function in outputtxt.c in the listswf tool in libming 0.4.7 allows remote attackers to cause a denial of service (buffer over-read) via a crafted SWF file.

4.3
2017-02-17 CVE-2016-9773 Imagemagick Buffer Errors vulnerability in Imagemagick 7.0.38

Heap-based buffer overflow in the IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file.

4.3
2017-02-17 CVE-2016-9139 Otrs Cross-Site Scripting vulnerability in Otrs

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment.

4.3
2017-02-17 CVE-2016-8652 Dovecot Improper Input Validation vulnerability in Dovecot

The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.

4.3
2017-02-17 CVE-2016-4327 Wso2 Cross-Site Scripting vulnerability in Wso2 Enablement Server FOR Java

Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

4.3
2017-02-17 CVE-2016-4316 Wso2 Cross-Site Scripting vulnerability in Wso2 Carbon 4.4.5

Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to webapp-list/webapp_info.jsp; the (4) dsName or (5) description parameter to ndatasource/newdatasource.jsp; the (6) phase parameter to viewflows/handlers.jsp; or the (7) url parameter to ndatasource/validateconnection-ajaxprocessor.jsp.

4.3
2017-02-17 CVE-2016-1249 Perl5 DBI Out-Of-Bounds Read vulnerability in Perl5-Dbi Dbd-Mysql

The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allows attackers to cause a denial of service (out-of-bounds read) via vectors involving an unaligned number of placeholders in WHERE condition and output fields in SELECT expression.

4.3
2017-02-16 CVE-2016-6062 IBM Cross-Site Scripting vulnerability in IBM Resilient 26.0/26.1/26.2

IBM Resilient v26.0, v26.1, and v26.2 is vulnerable to cross-site scripting.

4.3
2017-02-16 CVE-2017-6011 Icoutils Project
Debian
Redhat
Out-Of-Bounds Read vulnerability in multiple products

An issue was discovered in icoutils 0.31.1.

4.3
2017-02-16 CVE-2017-6010 Icoutils Project
Debian
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

An issue was discovered in icoutils 0.31.1.

4.3
2017-02-16 CVE-2017-6009 Icoutils Project
Debian
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

An issue was discovered in icoutils 0.31.1.

4.3
2017-02-15 CVE-2016-8681 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The _dwarf_get_abbrev_for_code function in dwarf_util.c in libdwarf 20161001 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) by calling the dwarfdump command on a crafted file.

4.3
2017-02-15 CVE-2016-8680 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The _dwarf_get_abbrev_for_code function in dwarf_util.c in libdwarf 20161001 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) by calling the dwarfdump command on a crafted file.

4.3
2017-02-15 CVE-2016-8679 Libdwarf Project Out-Of-Bounds Read vulnerability in Libdwarf Project Libdwarf

The _dwarf_get_size_of_val function in libdwarf/dwarf_util.c in Libdwarf before 20161124 allows remote attackers to cause a denial of service (out-of-bounds read) by calling the dwarfdump command on a crafted file.

4.3
2017-02-15 CVE-2016-8678 Imagemagick Out-Of-Bounds Read vulnerability in Imagemagick 7.0.30

The IsPixelMonochrome function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.0 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted file.

4.3
2017-02-15 CVE-2016-8676 Libav Null Pointer Dereference vulnerability in Libav

The get_vlc2 function in get_bits.h in Libav 11.9 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted mp3 file.

4.3
2017-02-15 CVE-2016-8675 Libav Null Pointer Dereference vulnerability in Libav

The get_vlc2 function in get_bits.h in Libav before 11.9 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted mp3 file, possibly related to startcode sequences during m4v detection.

4.3
2017-02-15 CVE-2016-8674 Artifex USE After Free vulnerability in Artifex Mupdf

The pdf_to_num function in pdf-object.c in MuPDF before 1.10 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted file.

4.3
2017-02-15 CVE-2016-7499 Libav Divide BY Zero vulnerability in Libav 11.7

The sbr_make_f_master function in aacsbr.c in Libav 11.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mp3 file.

4.3
2017-02-15 CVE-2016-7477 Libav Null Pointer Dereference vulnerability in Libav 11.7

The ff_put_pixels8_xy2_mmx function in rnd_template.c in Libav 11.7 allows remote attackers to cause a denial of service (invalid memory access and crash) via a crafted mp3 file.

4.3
2017-02-15 CVE-2016-7393 Libav Out-Of-Bounds Read vulnerability in Libav

Stack-based buffer overflow in the aac_sync function in aac_parser.c in Libav before 11.5 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file.

4.3
2017-02-15 CVE-2016-7392 Autotrace Project Out-Of-Bounds Write vulnerability in Autotrace Project Autotrace 0.31.1

Heap-based buffer overflow in the pstoedit_suffix_table_init function in output-pstoedit.c in AutoTrace 0.31.1 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted bmp image file.

4.3
2017-02-15 CVE-2017-5896 Artifex Out-Of-Bounds Read vulnerability in Artifex Mupdf

Heap-based buffer overflow in the fz_subsample_pixmap function in fitz/pixmap.c in MuPDF 1.10a allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted image.

4.3
2017-02-15 CVE-2016-9010 IBM 7PK - Security Features vulnerability in IBM Integration BUS and Websphere Message Broker

IBM WebSphere Message Broker 9.0 and 10.0 could allow a remote attacker to hijack the clicking action of the victim.

4.3
2017-02-15 CVE-2016-8692 Jasper Project
Fedoraproject
Debian
Divide BY Zero vulnerability in multiple products

The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command.

4.3
2017-02-15 CVE-2016-8691 Jasper Project
Debian
Fedoraproject
Divide BY Zero vulnerability in multiple products

The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command.

4.3
2017-02-15 CVE-2016-8690 Jasper Project
Fedoraproject
Null Pointer Dereference vulnerability in multiple products

The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command.

4.3
2017-02-15 CVE-2016-8688 Libarchive
Opensuse
Out-Of-Bounds Read vulnerability in multiple products

The mtree bidder in libarchive 3.2.1 does not keep track of line sizes when extending the read-ahead, which allows remote attackers to cause a denial of service (crash) via a crafted file, which triggers an invalid read in the (1) detect_form or (2) bid_entry function in libarchive/archive_read_support_format_mtree.c.

4.3
2017-02-15 CVE-2016-6832 Libav Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libav

Heap-based buffer overflow in the ff_audio_resample function in resample.c in libav before 11.4 allows remote attackers to cause a denial of service (crash) via vectors related to buffer resizing.

4.3
2017-02-15 CVE-2017-5990 Phreesoft Cross-Site Scripting vulnerability in Phreesoft Phreebookserp

An issue was discovered in PhreeBooksERP before 2017-02-13.

4.3
2017-02-15 CVE-2017-2969 Adobe Cross-Site Scripting vulnerability in Adobe Campaign 16.4

Adobe Campaign versions 16.4 Build 8724 and earlier have a cross-site scripting (XSS) vulnerability.

4.3
2017-02-13 CVE-2017-5164 Binom3 Cross-Site Scripting vulnerability in Binom3 Universal Multifunctional Electric Power Quality Meter Firmware

An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter.

4.3
2017-02-13 CVE-2017-5163 Belden Hirschmann Path Traversal vulnerability in Belden Hirschmann Gecko Lite Managed Switch Firmware

An issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions.

4.3
2017-02-13 CVE-2017-5157 Schneider Electric Cross-Site Scripting vulnerability in Schneider Electric Homelynk Controller Lss100100 Firmware 1.3.0

An issue was discovered in Schneider Electric homeLYnk Controller, LSS100100, all versions prior to V1.5.0.

4.3
2017-02-13 CVE-2016-9371 Moxa Cross-Site Scripting vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

4.3
2017-02-13 CVE-2016-8379 Iologik Multiple Security vulnerability in Iologik E1200 Series Firmware and E2200 Series Firmware

An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12.

4.3
2017-02-13 CVE-2016-8372 Iologik Credentials Management vulnerability in Iologik E1200 Series Firmware and E2200 Series Firmware

An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12.

4.3
2017-02-13 CVE-2016-8359 Iologik Cross-Site Scripting vulnerability in Iologik E1200 Series Firmware and E2200 Series Firmware

An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12.

4.3
2017-02-13 CVE-2016-8356 Kabona AB Cross-Site Scripting vulnerability in Kabona AB Webdatorcentral

An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0.

4.3
2017-02-13 CVE-2016-8344 Honeywell Improper Input Validation vulnerability in Honeywell Experion Process Knowledge System 410/430/431

An issue was discovered in Honeywell Experion Process Knowledge System (PKS) platform: Experion PKS, Release 3xx and prior, Experion PKS, Release 400, Experion PKS, Release 410, Experion PKS, Release 430, and Experion PKS, Release 431.

4.3
2017-02-13 CVE-2016-5811 Visonic Cross-Site Scripting vulnerability in Visonic Powerlink2 Firmware

An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release.

4.3
2017-02-13 CVE-2016-2274 Adcon Telemetry Cross-Site Scripting vulnerability in Adcon Telemetry A850 Telemetry Gateway Base Station Firmware

An issue was discovered in Adcon Telemetry A850 Telemetry Gateway Base Station.

4.3
2017-02-13 CVE-2015-8750 Libdwarf Project Null Pointer Dereference vulnerability in Libdwarf Project Libdwarf 20151114

libdwarf 20151114 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a debug_abbrev section marked NOBITS in an ELF file.

4.3
2017-02-13 CVE-2014-9760 Gosa Project Cross-Site Scripting vulnerability in Gosa Project Gosa

Cross-site scripting (XSS) vulnerability in the displayLogin function in html/index.php in GOsa allows remote attackers to inject arbitrary web script or HTML via the username.

4.3
2017-02-13 CVE-2016-6210 Openbsd Information Exposure vulnerability in Openbsd Openssh

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

4.3
2017-02-13 CVE-2017-3896 Mcafee Improper Input Validation vulnerability in Mcafee Agent

Unvalidated parameter vulnerability in the remote log viewing capability in Intel Security McAfee Agent 5.0.x versions prior to 5.0.4.449 allows remote attackers to pass unexpected input parameters via a URL that was not completely validated.

4.3
2017-02-17 CVE-2016-6190 Inverse INC Information Exposure vulnerability in Inverse-Inc Sogo

SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users.

4.0
2017-02-17 CVE-2016-6189 Inverse Incomplete Blacklist vulnerability in Inverse Sogo

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds.

4.0
2017-02-17 CVE-2016-9955 Simplesamlphp
Debian
Improper Input Validation vulnerability in multiple products

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.

4.0
2017-02-17 CVE-2016-4314 Wso2 Path Traversal vulnerability in Wso2 Carbon 4.4.5

Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a ..

4.0
2017-02-15 CVE-2016-6060 IBM Information Exposure vulnerability in IBM products

An undisclosed vulnerability in IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 could allow a JazzGuest user to see project names.

4.0
2017-02-13 CVE-2016-9338 Rockwellautomation Multiple Security vulnerability in Rockwell Automation MicroLogix 1100 and 1400

An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions.

4.0
2017-02-13 CVE-2016-9337 Tesla Command Injection vulnerability in Tesla Gateway ECU

An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled.

4.0
2017-02-13 CVE-2016-8362 Moxa Improper Authentication vulnerability in Moxa products

An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series.

4.0

14 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-02-17 CVE-2016-9637 Citrix Permissions, Privileges, and Access Controls vulnerability in Citrix Xenserver

The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.

3.7
2017-02-17 CVE-2017-5998 Intersect Alliance Cross-Site Scripting vulnerability in Intersect Alliance Snare Epilog 1.5.0

Cross-site scripting (XSS) vulnerability in InterSect Alliance SNARE Epilog for UNIX version 1.5 allows remote authenticated users to inject arbitrary web script or HTML via the str_log_name parameter in a "Web Admin Portal > Log Configuration > Add" action.

3.5
2017-02-17 CVE-2016-4315 Wso2 Cross-Site Request Forgery (CSRF) vulnerability in Wso2 Carbon 4.4.5

Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp.

3.5
2017-02-15 CVE-2016-8968 IBM Cross-Site Scripting vulnerability in IBM Rational Collaborative Lifecycle Management 6.0.0/6.0.1/6.0.2

IBM Jazz Foundation is vulnerable to cross-site scripting.

3.5
2017-02-14 CVE-2016-10223 Bigtreecms Improper Access Control vulnerability in Bigtreecms Bigtree CMS

An issue was discovered in BigTree CMS before 4.2.15.

3.5
2017-02-13 CVE-2017-1121 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to cross-site scripting.

3.5
2017-02-13 CVE-2017-3902 Mcafee Cross-Site Scripting vulnerability in Mcafee Epolicy Orchestrator

Cross-site scripting (XSS) vulnerability in the Web user interface (UI) in Intel Security ePO 5.1.3, 5.1.2, 5.1.1, and 5.1.0 allows authenticated users to inject malicious Java scripts via bypassing input validation.

3.5
2017-02-17 CVE-2016-7111 Mantisbt Cross-Site Scripting vulnerability in Mantisbt

MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

2.6
2017-02-14 CVE-2017-5967 Linux Information Exposure vulnerability in Linux Kernel

The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.

2.1
2017-02-13 CVE-2016-9355 BD Credentials Management vulnerability in BD Alaris 8015 PC Unit 9.7

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7.

2.1
2017-02-13 CVE-2017-5153 Osisoft Information Exposure Through LOG Files vulnerability in Osisoft PI Coresight and PI web API

An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier versions, and PI Web API 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit.

2.1
2017-02-13 CVE-2016-9348 Moxa Credentials Management vulnerability in Moxa products

An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions prior to 1.3, NPort 5200A Series versions prior to 1.3, NPort 5150AI-M12 Series versions prior to 1.2, NPort 5250AI-M12 Series versions prior to 1.2, NPort 5450AI-M12 Series versions prior to 1.2, NPort 5600-8-DT Series versions prior to 2.4, NPort 5600-8-DTL Series versions prior to 2.4, NPort 6x50 Series versions prior to 1.13.11, NPort IA5450A versions prior to v1.4.

2.1
2017-02-13 CVE-2016-4546 Samsung Improper Input Validation vulnerability in Samsung Mobile 4.4/5.0/5.1

Samsung devices with Android KK(4.4) or L(5.0/5.1) allow local users to cause a denial of service (IAndroidShm service crash) via crafted data in a service call.

2.1
2017-02-13 CVE-2016-8375 BD Credentials Management vulnerability in BD Alaris 8015 PC Unit 9.7

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit.

1.9