Weekly Vulnerabilities Reports > April 24 to 30, 2017

Overview

463 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 88 high severity vulnerabilities. This weekly summary report vulnerabilities in 324 products from 119 vendors including Oracle, Debian, Google, Redhat, and Juniper. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Information Exposure", "Missing Release of Resource after Effective Lifetime", and "Path Traversal".

  • 379 reported vulnerabilities are remotely exploitables.
  • 28 reported vulnerabilities have public exploit available.
  • 92 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 330 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 196 reported vulnerabilities.
  • Trendmicro has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

29 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-04-29 CVE-2017-6553 Quest Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Quest Privilege Manager FOR Unix

Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an ACT_ALERT_EVENT request that causes memory corruption in the pmmasterd daemon.

10.0
2017-04-28 CVE-2017-2142 Iodata Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Iodata Wn-G300R3 Firmware

Buffer overflow in WN-G300R3 firmware Ver.1.03 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

10.0
2017-04-28 CVE-2017-2096 Smalruby OS Command Injection vulnerability in Smalruby Smalruby-Editor

smalruby-editor v0.4.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

10.0
2017-04-27 CVE-2017-3066 Adobe Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 10.0/11.0/2016

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library.

10.0
2017-04-25 CVE-2017-8224 Wificam Use of Hard-coded Credentials vulnerability in Wificam Wireless IP Camera (P2P) Firmware

Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.

10.0
2017-04-25 CVE-2017-8218 TP Link Insecure Default Initialization of Resource vulnerability in Tp-Link C20I Firmware and C2 Firmware

vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n has a backdoor admin account with the 1234 password, a backdoor guest account with the guest password, and a backdoor test account with the test password.

10.0
2017-04-24 CVE-2017-3623 Oracle Remote Code Execution vulnerability in Oracle Solaris

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC).

10.0
2017-04-24 CVE-2017-2320 Juniper Information Exposure vulnerability in Juniper Northstar Controller

A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various denials of services leading to targeted information disclosure, modification of any component of the NorthStar system, including managed systems, and full denial of services to any systems under management which NorthStar interacts with using read-only or read-write credentials.

10.0
2017-04-28 CVE-2017-7895 Linux
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.

9.8
2017-04-24 CVE-2015-7247 D Link Information Exposure vulnerability in D-Link Dvg-N5402Sp Firmware W1000Cn00/W1000Cn03/W2000En00

D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain sensitive information.

9.8
2017-04-24 CVE-2015-7246 D Link Use of Hard-coded Credentials vulnerability in D-Link Dvg-N5402Sp Firmware W1000Cn00/W1000Cn03/W2000En00

D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access.

9.8
2017-04-28 CVE-2017-2149 Toshiba Untrusted Search Path vulnerability in Toshiba Flashair

Untrusted search path vulnerability in installers of the software for SDHC/SDXC Memory Card with embedded NFC functionality Software Update Tool V1.00.03 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Configuration Software V3.0.2 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WE series<W-03>) V3.00.01, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WD/WC series<W-02>) V2.00.03 and earlier, SDHC Memory Card with embedded wireless LAN functionality FlashAir Software Update tool (SD-WB/WL series) V1.00.04 and earlier, SDHC Memory Card with embedded TransferJet functionality Configuration Software V1.02 and earlier, SDHC Memory Card with embedded TransferJet functionality Software Update tool V1.00.06 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

9.3
2017-04-27 CVE-2017-6037 WE CON Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in We-Con Levi Studio HMI Editor 1.8.0

A Heap-Based Buffer Overflow issue was discovered in Wecon Technologies LEVI Studio HMI Editor before 1.8.1.

9.3
2017-04-27 CVE-2017-6035 WE CON Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in We-Con Levi Studio HMI Editor 1.8.0

A Stack-Based Buffer Overflow issue was discovered in Wecon Technologies LEVI Studio HMI Editor before 1.8.1.

9.3
2017-04-24 CVE-2017-2332 Juniper Improper Authentication vulnerability in Juniper Northstar Controller

An insufficient authentication vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious, network based, unauthenticated attacker to perform privileged actions to gain complete control over the environment.

9.3
2017-04-29 CVE-2017-7981 Enalean
Phpwiki Project
OS Command Injection vulnerability in multiple products

Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin.

9.0
2017-04-28 CVE-2016-8592 Trendmicro Permissions, Privileges, and Access Controls vulnerability in Trendmicro Threat Discovery Appliance

log_query_system.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id parameter.

9.0
2017-04-28 CVE-2016-8591 Trendmicro Permissions, Privileges, and Access Controls vulnerability in Trendmicro Threat Discovery Appliance

log_query.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id parameter.

9.0
2017-04-28 CVE-2016-8590 Trendmicro Permissions, Privileges, and Access Controls vulnerability in Trendmicro Threat Discovery Appliance

log_query_dlp.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id parameter.

9.0
2017-04-28 CVE-2016-8589 Trendmicro Permissions, Privileges, and Access Controls vulnerability in Trendmicro Threat Discovery Appliance

log_query_dae.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id parameter.

9.0
2017-04-28 CVE-2016-8586 Trendmicro Permissions, Privileges, and Access Controls vulnerability in Trendmicro Threat Discovery Appliance

detected_potential_files.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the cache_id parameter.

9.0
2017-04-28 CVE-2016-8585 Trendmicro Permissions, Privileges, and Access Controls vulnerability in Trendmicro Threat Discovery Appliance

admin_sys_time.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code as the root user via shell metacharacters in the timezone parameter.

9.0
2017-04-28 CVE-2017-2141 Iodata OS Command Injection vulnerability in Iodata Wn-G300R3 Firmware

WN-G300R3 firmware 1.03 and earlier allows attackers with administrator rights to execute arbitrary OS commands via unspecified vectors.

9.0
2017-04-25 CVE-2017-8220 TP Link OS Command Injection vulnerability in Tp-Link C20I Firmware and C2 Firmware

TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP POST data.

9.0
2017-04-24 CVE-2017-3543 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server).

9.0
2017-04-24 CVE-2017-3542 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server).

9.0
2017-04-24 CVE-2017-3230 Oracle Remote Security vulnerability in Oracle Fusion Middleware Mapviewer 11.1.1.9/12.2.1.1/12.2.1.2

Vulnerability in the Oracle Fusion Middleware MapViewer component of Oracle Fusion Middleware (subcomponent: Map Builder).

9.0
2017-04-24 CVE-2016-6903 Lshell Project Permissions, Privileges, and Access Controls vulnerability in Lshell Project Lshell 0.9.16

lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands.

9.0
2017-04-24 CVE-2016-6902 Lshell Project Permissions, Privileges, and Access Controls vulnerability in Lshell Project Lshell 0.9.16

lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands.

9.0

88 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-04-25 CVE-2017-5051 Google Integer Overflow or Wraparound vulnerability in Google Chrome

An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer.

8.8
2017-04-25 CVE-2017-5050 Google Integer Overflow or Wraparound vulnerability in Google Chrome

An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer.

8.8
2017-04-25 CVE-2017-5049 Google Integer Overflow or Wraparound vulnerability in Google Chrome

An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer.

8.8
2017-04-25 CVE-2017-5048 Google Integer Overflow or Wraparound vulnerability in Google Chrome

An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer.

8.8
2017-04-25 CVE-2017-5047 Google Integer Overflow or Wraparound vulnerability in Google Chrome

An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer.

8.8
2017-04-24 CVE-2017-5043 Google
Redhat
Debian
Use After Free vulnerability in multiple products

Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac had a use after free bug in GuestView, which allowed a remote attacker to perform an out of bounds memory read via a crafted Chrome extension.

8.8
2017-04-24 CVE-2017-5034 Google Use After Free vulnerability in Google Chrome

A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file.

8.8
2017-04-24 CVE-2017-5032 Google Out-of-bounds Write vulnerability in Google Chrome

PDFium in Google Chrome prior to 57.0.2987.98 for Windows could be made to increment off the end of a buffer, which allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

8.8
2017-04-24 CVE-2017-5031 Google Use After Free vulnerability in Google Chrome

A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

8.8
2017-04-24 CVE-2017-5030 Google
Debian
Redhat
Out-of-bounds Read vulnerability in multiple products

Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.2987.108 for Android allowed a remote attacker to execute arbitrary code via a crafted HTML page.

8.8
2017-04-24 CVE-2017-5029 Google
Xmlsoft
Debian
Redhat
Out-of-bounds Write vulnerability in multiple products

The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

8.8
2017-04-24 CVE-2017-3601 Oracle Remote Security vulnerability in Oracle API Gateway 11.1.2.4.0

Vulnerability in the Oracle API Gateway component of Oracle Fusion Middleware (subcomponent: Oracle API Gateway).

8.8
2017-04-24 CVE-2017-7852 Dlink Cross-Site Request Forgery (CSRF) vulnerability in Dlink products

D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack.

8.8
2017-04-24 CVE-2017-3602 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

8.5
2017-04-24 CVE-2017-3592 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Payables component of Oracle E-Business Suite (subcomponent: Self Service Manager).

8.5
2017-04-24 CVE-2017-3545 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Blob Server).

8.5
2017-04-24 CVE-2017-3472 Oracle Remote Security vulnerability in Oracle FLEXCUBE Private Banking

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Portfolio Management).

8.5
2017-04-28 CVE-2017-2113 Iodata Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Iodata products

Buffer overflow in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

8.3
2017-04-28 CVE-2017-2112 Iodata OS Command Injection vulnerability in Iodata products

TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

8.3
2017-04-24 CVE-2017-3254 Oracle Remote Security vulnerability in Oracle Retail Invoice Matching 12.0/13.0

Vulnerability in the Oracle Retail Invoice Matching component of Oracle Retail Applications (subcomponent: Security).

8.3
2017-04-24 CVE-2017-3306 Oracle Remote Security vulnerability in Oracle MySQL Enterprise Monitor

Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Server).

8.2
2017-04-24 CVE-2017-5035 Google
Debian
Redhat
Race Condition vulnerability in multiple products

Google Chrome prior to 57.0.2987.98 for Windows and Mac had a race condition, which could cause Chrome to display incorrect certificate information for a site.

8.1
2017-04-24 CVE-2017-3530 Oracle Remote Security vulnerability in Oracle Transportation Manager CVE-2017-3530

Vulnerability in the Oracle Transportation Manager component of Oracle Supply Chain Products Suite (subcomponent: Security).

7.9
2017-04-27 CVE-2017-8291 Artifex
Debian
Redhat
Type Confusion vulnerability in multiple products

Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.

7.8
2017-04-24 CVE-2017-5039 Google
Debian
Redhat
Use After Free vulnerability in multiple products

A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.

7.8
2017-04-24 CVE-2017-5037 Google
Debian
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer.

7.8
2017-04-24 CVE-2017-5036 Google
Debian
Redhat
Use After Free vulnerability in multiple products

A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to have an unspecified impact via a crafted PDF file.

7.8
2017-04-24 CVE-2017-3625 Oracle Remote Security vulnerability in Oracle WebCenter Content

Vulnerability in the Oracle WebCenter Content component of Oracle Fusion Middleware (subcomponent: Content Server).

7.8
2017-04-24 CVE-2017-3599 Oracle Integer Overflow or Wraparound vulnerability in Oracle Mysql

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth).

7.8
2017-04-24 CVE-2017-3593 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

7.8
2017-04-24 CVE-2017-3557 Oracle Cross-site Scripting vulnerability in Oracle One-To-One Fulfillment

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Print Server).

7.8
2017-04-24 CVE-2017-3519 Oracle Remote Security vulnerability in Oracle PeopleSoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Security).

7.8
2017-04-24 CVE-2017-3499 Oracle Remote Security vulnerability in Oracle Social Network

Vulnerability in the Oracle Social Network component of Oracle Fusion Middleware (subcomponent: Android Client).

7.8
2017-04-24 CVE-2017-3432 Oracle Remote Security vulnerability in Oracle One-To-One Fulfillment 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Audience workbench).

7.8
2017-04-24 CVE-2017-3393 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: Interaction History).

7.8
2017-04-24 CVE-2017-3337 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface).

7.8
2017-04-24 CVE-2017-3233 Oracle Remote Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

7.8
2017-04-24 CVE-2017-2315 Juniper Missing Release of Resource after Effective Lifetime vulnerability in Juniper Junos

On Juniper Networks EX Series Ethernet Switches running affected Junos OS versions, a vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet destined to an EX Series Ethernet Switch to cause a slow memory leak.

7.8
2017-04-30 CVE-2017-8366 Ettercap Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ettercap Project Ettercap 0.8.2

The strescape function in ec_strings.c in Ettercap 0.8.2 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted filter that is mishandled by etterfilter.

7.5
2017-04-30 CVE-2017-8359 Grpc Out-of-bounds Write vulnerability in Grpc

Google gRPC before 2017-03-29 has an out-of-bounds write caused by a heap-based use-after-free related to the grpc_call_destroy function in core/lib/surface/call.c.

7.5
2017-04-30 CVE-2017-8358 Libreoffice Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libreoffice

LibreOffice before 2017-03-17 has an out-of-bounds write caused by a heap-based buffer overflow related to the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx.

7.5
2017-04-28 CVE-2016-8584 Trendmicro Improper Access Control vulnerability in Trendmicro Threat Discovery Appliance

Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which allows remote attackers to bypass authentication by guessing the value.

7.5
2017-04-28 CVE-2017-2101 IPA Improper Authentication vulnerability in IPA Appgoat 3.0.0

Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.0 and earlier allows remote attackers to bypass authentication to perform arbitrary operations via unspecified vectors.

7.5
2017-04-27 CVE-2017-8305 13Thmonkey Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in 13Thmonkey Udfclient

The UDFclient (before 0.8.8) custom strlcpy implementation has a buffer overflow.

7.5
2017-04-27 CVE-2017-8307 Avast Arbitrary File Deletion vulnerability in Avast! Antivirus

In Avast Antivirus before v17, using the LPC interface API exposed by the AvastSVC.exe Windows service, it is possible to launch predefined binaries, or replace or delete arbitrary files.

7.5
2017-04-27 CVE-2017-8297 Simple File Manager Project Path Traversal vulnerability in Simple-File-Manager Project Simple-File-Manager 20170419

A path traversal vulnerability exists in simple-file-manager before 2017-04-26, affecting index.php (the sole "Simple PHP File Manager" component).

7.5
2017-04-27 CVE-2017-5186 Netiq
Novell
Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

Novell iManager 2.7 before SP7 Patch 9, NetIQ iManager 3.x before 3.0.2.1, Novell eDirectory 8.8.x before 8.8 SP8 Patch 9 Hotfix 2, and NetIQ eDirectory 9.x before 9.0.2 Hotfix 2 (9.0.2.2) use the deprecated MD5 hashing algorithm in a communications certificate.

7.5
2017-04-27 CVE-2017-8289 Riot Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Riot Project Riot

Stack-based buffer overflow in the ipv6_addr_from_str function in sys/net/network_layer/ipv6/addr/ipv6_addr_from_str.c in RIOT prior to 2017-04-25 allows local attackers, and potentially remote attackers, to cause a denial of service or possibly have unspecified other impact via a malformed IPv6 address.

7.5
2017-04-27 CVE-2017-8287 Freetype Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Freetype

FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.

7.5
2017-04-26 CVE-2017-8283 Debian Path Traversal vulnerability in Debian Dpkg

dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection mechanism for blank-indented diff hunks, which allows remote attackers to conduct directory traversal attacks via a crafted Debian source package, as demonstrated by use of dpkg-source on NetBSD.

7.5
2017-04-25 CVE-2017-8225 Wificam Insufficiently Protected Credentials vulnerability in Wificam Wireless IP Camera (P2P) Firmware

On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked.

7.5
2017-04-25 CVE-2017-1149 IBM XXE vulnerability in IBM Urbancode Deploy

IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.

7.5
2017-04-25 CVE-2017-8110 Modified Shop XXE vulnerability in Modified-Shop Modified Ecommerce Shopsoftware 2.0.2.2

www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php.

7.5
2017-04-24 CVE-2017-3595 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

7.5
2017-04-24 CVE-2017-3553 Oracle Remote Security vulnerability in Oracle Identity Manager 11.1.2.3.0

Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine).

7.5
2017-04-24 CVE-2017-3549 Oracle SQL Injection vulnerability in Oracle Scripting

Vulnerability in the Oracle Scripting component of Oracle E-Business Suite (subcomponent: Scripting Administration).

7.5
2017-04-24 CVE-2017-3540 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server).

7.5
2017-04-24 CVE-2017-3507 Oracle Remote Security vulnerability in Oracle Service Bus

Vulnerability in the Oracle Service Bus component of Oracle Fusion Middleware (subcomponent: Web Console Design).

7.5
2017-04-24 CVE-2017-3497 Oracle Remote Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Remote Administration Daemon).

7.5
2017-04-24 CVE-2017-3476 Oracle Remote Security vulnerability in Oracle FLEXCUBE Private Banking

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

7.5
2017-04-24 CVE-2017-3234 Oracle Remote Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

7.5
2017-04-24 CVE-2011-3428 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in QuickTime before 7.7.1 for Windows allows remote attackers to execute arbitrary code.

7.5
2017-04-24 CVE-2017-8105 Freetype
Debian
Out-of-bounds Write vulnerability in multiple products

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.

7.5
2017-04-24 CVE-2015-7569 Yeager SQL Injection vulnerability in Yeager CMS 1.2.1

SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager CMS 1.2.1 allows local users to execute arbitrary SQL commands via the "pagedir_orderby" parameter.

7.5
2017-04-24 CVE-2015-7568 Yeager SQL Injection vulnerability in Yeager CMS 1.2.1

SQL injection vulnerability in the password recovery feature in Yeager CMS 1.2.1 allows remote attackers to change the account credentials of known users via the "userEmail" parameter.

7.5
2017-04-24 CVE-2015-7245 D Link Path Traversal vulnerability in D-Link Dvg-N5402Sp Firmware W1000Cn00/W1000Cn03/W2000En00

Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a ..

7.5
2017-04-24 CVE-2017-2331 Juniper Authentication Bypass vulnerability in Juniper NorthStar Controller Application

A firewall bypass vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to bypass firewall policies, leading to authentication bypass methods, information disclosure, modification of system files, and denials of service.

7.5
2017-04-24 CVE-2017-2321 Juniper Remote Privilege Escalation vulnerability in Juniper NorthStar Controller Application

A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various system services partial to full denials of services, modification of system states and files, and potential disclosure of sensitive information which may assist the attacker in further attacks on the system through the use of multiple attack vectors, including man-in-the-middle attacks, file injections, and malicious execution of commands causing out of bound memory conditions leading to other attacks.

7.5
2017-04-24 CVE-2017-2319 Juniper Improper Authentication vulnerability in Juniper Northstar Controller

A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious attacker to compromise the systems confidentiality or integrity without authentication, leading to managed systems being compromised or services being denied to authentic end users and systems as a result.

7.5
2017-04-24 CVE-2017-2317 Juniper Information Exposure vulnerability in Juniper Northstar Controller

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause denials of services to underlying database tables leading to potential information disclosure, modification of system states, and partial to full denial of services relying upon data modified by an attacker.

7.5
2017-04-24 CVE-2014-9654 Google
ICU Project
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Chrome

The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.

7.5
2017-04-24 CVE-2017-3506 Oracle Unspecified vulnerability in Oracle Weblogic Server

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).

7.4
2017-04-26 CVE-2017-3162 Apache Improper Input Validation vulnerability in Apache Hadoop

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace.

7.3
2017-04-28 CVE-2017-2108 Softbank Untrusted Search Path vulnerability in Softbank Primedrive Desktop Application

Untrusted search path vulnerability in PrimeDrive Desktop Application 1.4.3 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

7.2
2017-04-26 CVE-2017-7293 Dolby Deserialization of Untrusted Data vulnerability in Dolby Audio X2 and Dolby Audio X3

The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for DCOM.

7.2
2017-04-24 CVE-2016-6915 Nvidia
Google
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia products

Stack-based buffer overflow in nvhost_job.c in the NVIDIA video driver for Android, Shield TV before OTA 3.3, Shield Table before OTA 4.4, and Shield Table TK1 before OTA 1.5.

7.2
2017-04-24 CVE-2017-3622 Oracle Local Privilege Escalation vulnerability in Oracle Solaris 10

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)).

7.2
2017-04-24 CVE-2017-3237 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

7.2
2017-04-24 CVE-2016-6917 Nvidia
Google
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia products

Buffer overflow in nvhost_job.c in the NVIDIA video driver for Android, Shield TV before OTA 3.3, Shield Table before OTA 4.4, and Shield Table TK1 before OTA 1.5.

7.2
2017-04-24 CVE-2016-6916 Nvidia
Google
Integer Overflow or Wraparound vulnerability in Nvidia products

Integer overflow in nvhost_job.c in the NVIDIA video driver for Android, Shield TV before OTA 3.3, Shield Table before OTA 4.4, and Shield Table TK1 before OTA 1.5 allows local users to cause a denial of service (system crash) via unspecified vectors, which triggers a buffer overflow.

7.2
2017-04-24 CVE-2015-8110 Lenovo Permissions, Privileges, and Access Controls vulnerability in Lenovo System Update

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by navigating to (1) "Click here to learn more" or (2) "View privacy policy" within the Tvsukernel.exe GUI application in the context of a temporary administrator account, aka a "local privilege escalation vulnerability."

7.2
2017-04-29 CVE-2017-8327 Entropymine Resource Exhaustion vulnerability in Entropymine Imageworsener

The bmpr_read_uncompressed function in imagew-bmp.c in libimageworsener.a in ImageWorsener before 1.3.1 allows remote attackers to cause a denial of service (memory consumption) via a crafted image.

7.1
2017-04-24 CVE-2017-3547 Oracle Injection vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework).

7.1
2017-04-24 CVE-2017-3526 Oracle Remote Security vulnerability in Oracle Jdk, JRE and Jrockit

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP).

7.1
2017-04-24 CVE-2017-3520 Oracle Remote Security vulnerability in Oracle PeopleSoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Fluid Core).

7.1
2017-04-26 CVE-2017-8284 Qemu Code Injection vulnerability in Qemu

The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail.

7.0
2017-04-25 CVE-2017-7477 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel

Heap-based buffer overflow in drivers/net/macsec.c in the MACsec module in the Linux kernel through 4.10.12 allows attackers to cause a denial of service or possibly have unspecified other impact by leveraging the use of a MAX_SKB_FRAGS+1 size in conjunction with the NETIF_F_FRAGLIST feature, leading to an error in the skb_to_sgvec function.

7.0
2017-04-24 CVE-2017-3594 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

7.0

294 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-04-28 CVE-2017-2107 Akky Untrusted Search Path vulnerability in Akky 7-Zip32.Dll

Untrusted search path vulnerability in Self-extracting archive files created by 7-ZIP32.DLL 9.22.00.01 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

6.9
2017-04-24 CVE-2017-3564 Oracle Local Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: RBAC).

6.9
2017-04-24 CVE-2015-8109 Lenovo Credentials Management vulnerability in Lenovo System Update

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability."

6.9
2017-04-30 CVE-2017-8364 Rzip Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Rzip Project Rzip 2.1

The read_buf function in stream.c in rzip 2.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted archive.

6.8
2017-04-30 CVE-2017-8361 Libsndfile Project
Debian
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file.

6.8
2017-04-30 CVE-2017-8081 Cagintranetworks Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Cagintranetworks Getsimple CMS 3.3.13

Poor cryptographic salt initialization in admin/inc/template_functions.php in GetSimple CMS 3.3.13 allows a network attacker to escalate privileges to an arbitrary user or conduct CSRF attacks via calculation of a session cookie or CSRF nonce.

6.8
2017-04-30 CVE-2017-7721 Irfanview Improper Input Validation vulnerability in Irfanview FPX and Irfanview

IrfanView version 4.44 (32bit) with FPX Plugin before 4.45 has an Access Violation and crash in processing a FlashPix (.FPX) file.

6.8
2017-04-29 CVE-2017-8326 Entropymine Incorrect Calculation vulnerability in Entropymine Imageworsener

libimageworsener.a in ImageWorsener before 1.3.1 has "left shift cannot be represented in type int" undefined behavior issues, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image, related to imagew-bmp.c and imagew-util.c.

6.8
2017-04-29 CVE-2017-8325 Entropymine Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Entropymine Imageworsener

The iw_process_cols_to_intermediate function in imagew-main.c in libimageworsener.a in ImageWorsener before 1.3.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted image.

6.8
2017-04-28 CVE-2017-1194 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

6.8
2017-04-28 CVE-2017-2156 Vivaldi Untrusted Search Path vulnerability in Vivaldi Installer FOR Windows

Untrusted search path vulnerability in Vivaldi installer for Windows prior to version 1.7.735.48 allows an attacker to execute arbitrary code via a specially crafted executable file in an unspecified directory.

6.8
2017-04-28 CVE-2017-2155 I CON Corporation Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in I.Con Corporation Hoozin Viewer 2/3

Buffer overflow in Hoozin Viewer 2, 3, 4.1.5.15 and earlier, 5.1.2.13 and earlier, and 6.0.3.09 and earlier allows remote attackers to execute arbitrary code via specially crafted webpage.

6.8
2017-04-28 CVE-2017-2154 Justsystems Improper Input Validation vulnerability in Justsystems products

Untrusted search path vulnerability in Hanako 2017, Hanako 2016, Hanako 2015, Hanako Pro 3, JUST Office 3 [Standard], JUST Office 3 [Eco Print Package], JUST Office 3 & Tri-De DataProtect Package, JUST Government 3, JUST Jump Class 2, JUST Frontier 3, JUST School 6 Premium, Hanako Police 5, JUST Police 3, Hanako 2017 trial version allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.

6.8
2017-04-28 CVE-2017-2140 Gaku Injection vulnerability in Gaku Tablacus Explorer

Tablacus Explorer 17.3.30 and earlier allows arbitrary scripts to be executed in the context of the application due to specially crafted directory.

6.8
2017-04-28 CVE-2017-2130 Securebrain Untrusted Search Path vulnerability in Securebrain Phishwall Client 3.7.13/3.7.8.1

Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer version Ver.

6.8
2017-04-28 CVE-2017-2128 Information Technology Promotion Agency OS Command Injection vulnerability in Information-Technology Promotion Agency Introduction TO Safe Website Operation

Security guide for website operators allows remote attackers to execute arbitrary OS commands via specially crafted saved data.

6.8
2017-04-28 CVE-2017-2102 IPA Cross-Site Request Forgery (CSRF) vulnerability in IPA Appgoat 3.0.0

Cross-site request forgery (CSRF) vulnerability in Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2017-04-28 CVE-2017-2100 IPA Improper Input Validation vulnerability in IPA Appgoat 3.0.0/3.0.1

Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.1 and earlier allows remote attackers to conduct DNS rebinding attacks via unspecified vectors.

6.8
2017-04-28 CVE-2017-2099 IPA Remote Code Execution vulnerability in IPA Appgoat 3.0.0

Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.0 and earlier allows remote code execution via unspecified vectors.

6.8
2017-04-28 CVE-2017-2097 Support Project Cross-Site Request Forgery (CSRF) vulnerability in Support-Project Knowledge

Cross-site request forgery (CSRF) vulnerability in Knowledge versions prior to v1.7.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2017-04-27 CVE-2017-8288 Gnome Improper Input Validation vulnerability in Gnome Gnome-Shell

gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen.

6.8
2017-04-25 CVE-2017-3434 Oracle Remote Security vulnerability in Oracle One-To-One Fulfillment 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: Audience workbench).

6.8
2017-04-25 CVE-2017-3356 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface).

6.8
2017-04-25 CVE-2017-3355 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface).

6.8
2017-04-25 CVE-2017-3347 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface).

6.8
2017-04-25 CVE-2017-3342 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface).

6.8
2017-04-24 CVE-2017-3573 Oracle Remote Security vulnerability in Oracle Hospitality OPERA 5 Property Services

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Printing).

6.8
2017-04-24 CVE-2017-3550 Oracle Remote Security vulnerability in Oracle Customer Interaction History 12.1.1/12.1.2/12.1.3

Vulnerability in the Oracle Customer Interaction History component of Oracle E-Business Suite (subcomponent: Admin Console).

6.8
2017-04-24 CVE-2017-3534 Oracle Remote Security vulnerability in Oracle FLEXCUBE Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure).

6.8
2017-04-24 CVE-2017-3516 Oracle Remote Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones virtualized NIC driver).

6.8
2017-04-24 CVE-2011-3438 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Safari 5.0.6

WebKit, as used in Safari 5.0.6, allows remote attackers to cause a denial of service (process crash) or arbitrary code execution.

6.8
2017-04-24 CVE-2017-8101 S9Y Cross-Site Request Forgery (CSRF) vulnerability in S9Y Serendipity 2.0.5

There is CSRF in Serendipity 2.0.5, allowing attackers to install any themes via a GET request.

6.8
2017-04-24 CVE-2016-4313 Extplorer Path Traversal vulnerability in Extplorer 2.1.9

Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a ..

6.8
2017-04-24 CVE-2016-3691 Kallithea
Kallithea SCM
Cross-Site Request Forgery (CSRF) vulnerability in Kallithea-Scm Kallithea 0.1/0.2/0.3.1

Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method.

6.8
2017-04-24 CVE-2017-2326 Juniper Information Exposure vulnerability in Juniper Northstar Controller

An information disclosure vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, network-based attacker to replicate the underlying Junos OS VM and all data it maintains to their local system for future analysis.

6.8
2017-04-24 CVE-2017-2312 Juniper Missing Release of Resource after Effective Lifetime vulnerability in Juniper Junos

On Juniper Networks devices running Junos OS affected versions and with LDP enabled, a specific LDP packet destined to the RE (Routing Engine) will consume a small amount of the memory allocated for the rpd (routing protocol daemon) process.

6.8
2017-04-29 CVE-2017-8114 Roundcube Improper Privilege Management vulnerability in Roundcube Webmail

Roundcube Webmail allows arbitrary password resets by authenticated users.

6.5
2017-04-28 CVE-2016-8593 Trendmicro Path Traversal vulnerability in Trendmicro Threat Discovery Appliance

Directory traversal vulnerability in upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via a ..

6.5
2017-04-28 CVE-2017-2125 Allied Telesis K K Privilege Escalation vulnerability in CentreCOM AR260S V2

Privilege escalation vulnerability in CentreCOM AR260S V2 remote authenticated attackers to gain privileges via the guest account.

6.5
2017-04-25 CVE-2017-1274 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM Domino

IBM Domino 8.5.3, and 9.0 is vulnerable to a stack based overflow in the IMAP service that could allow an authenticated attacker to execute arbitrary code by specifying a large mailbox name.

6.5
2017-04-25 CVE-2017-7221 Opentext SQL Injection vulnerability in Opentext Documentum Content Server

OpenText Documentum Content Server has an inadequate protection mechanism against SQL injection, which allows remote authenticated users to execute arbitrary code with super-user privileges by leveraging the availability of the dm_bp_transition docbase method with a user-created dm_procedure object, as demonstrated by use of a backspace character in an injected string.

6.5
2017-04-24 CVE-2017-3596 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

6.5
2017-04-24 CVE-2017-3577 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise CS Campus Community 9.2

Vulnerability in the PeopleSoft Enterprise CS Campus Community component of Oracle PeopleSoft Products (subcomponent: Frameworks).

6.5
2017-04-24 CVE-2017-3574 Oracle Remote Security vulnerability in Oracle Hospitality OPERA 5 Property Services

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA License code configuration).

6.5
2017-04-24 CVE-2017-3571 Oracle Remote Security vulnerability in Oracle Peoplesoft Ebill Payment 9.2

Vulnerability in the PeopleSoft Enterprise SCM eBill Payment component of Oracle PeopleSoft Products (subcomponent: Security).

6.5
2017-04-24 CVE-2017-3570 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Esettlements 9.1

Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle PeopleSoft Products (subcomponent: eSettlements).

6.5
2017-04-24 CVE-2017-3569 Oracle Remote Security vulnerability in Oracle Hospitality OPERA 5 Property Services

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Business Events).

6.5
2017-04-24 CVE-2017-3554 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Catalog Mover).

6.5
2017-04-24 CVE-2017-3525 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise SCM Services Procurement 9.2

Vulnerability in the PeopleSoft Enterprise SCM Service Procurement component of Oracle PeopleSoft Products (subcomponent: Usability).

6.5
2017-04-24 CVE-2017-3524 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise SCM Strategic Sourcing 9.2

Vulnerability in the PeopleSoft Enterprise SCM Strategic Sourcing component of Oracle PeopleSoft Products (subcomponent: Bidder Registration).

6.5
2017-04-24 CVE-2017-3508 Oracle Remote Security vulnerability in RETIRED: Oracle Primavera Products

Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration).

6.5
2017-04-24 CVE-2017-3503 Oracle Remote Security vulnerability in Oracle Primavera Products

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access (Apache Commons BeanUtils)).

6.5
2017-04-24 CVE-2015-0104 IBM Improper Access Control vulnerability in IBM products

IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors.

6.5
2017-04-27 CVE-2017-5135 Technicolor SNMP Authentication Bypass vulnerability in Technicolor Dpc3928Sl Firmware D3928Slp1513A386C3420R55105160127A

Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases.

6.4
2017-04-24 CVE-2017-3548 Oracle XXE vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Integration Broker).

6.4
2017-04-24 CVE-2017-3546 Oracle Server-Side Request Forgery (SSRF) vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework).

6.4
2017-04-24 CVE-2017-3541 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server).

6.4
2017-04-24 CVE-2017-3531 Oracle Remote Security vulnerability in Oracle WebLogic Server

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Servlet Runtime).

6.4
2017-04-24 CVE-2017-3517 Oracle Remote Security vulnerability in Oracle JD Edwards Enterpriseone Tools 9.2

Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Web Runtime SEC).

6.4
2017-04-24 CVE-2015-7570 Yeager Server-Side Request Forgery (SSRF) vulnerability in Yeager CMS 1.2.1

Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_lite/tests/test_adodb_lite.php, libs/org/adodb_lite/tests/test_datadictionary.php, or libs/org/adodb_lite/tests/test_adodb_lite_sessions.php.

6.4
2017-04-24 CVE-2017-5044 Google
Debian
Redhat
Out-of-bounds Write vulnerability in multiple products

Heap buffer overflow in filter processing in Skia in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.

6.3
2017-04-24 CVE-2017-5038 Google
Debian
Redhat
Use After Free vulnerability in multiple products

Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac had a use after free bug in GuestView, which allowed a remote attacker to perform an out of bounds memory read via a crafted Chrome extension.

6.3
2017-04-24 CVE-2017-3597 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

6.3
2017-04-24 CVE-2017-3538 Oracle Local Security Bypass vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder).

6.3
2017-04-24 CVE-2017-3305 Oracle
Debian
Cleartext Transmission of Sensitive Information vulnerability in multiple products

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API).

6.3
2017-04-26 CVE-2017-3161 Apache Cross-site Scripting vulnerability in Apache Hadoop

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

6.1
2017-04-24 CVE-2017-5045 Google
Redhat
Debian
Cross-site Scripting vulnerability in multiple products

XSS Auditor in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed detection of a blocked iframe load, which allowed a remote attacker to brute force JavaScript variables via a crafted HTML page.

6.1
2017-04-24 CVE-2017-3551 Oracle Local Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Smartcard Libraries).

6.1
2017-04-24 CVE-2017-5191 Netiq Cross-site Scripting vulnerability in Netiq Access Manager 4.2/4.3

An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 and 4.3 exists because Access Gateway Error pages do not validate the HTTP Referer header.

6.1
2017-04-28 CVE-2016-8588 Trendmicro Improper Access Control vulnerability in Trendmicro Threat Discovery Appliance

The hotfix_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the file name of an uploaded file.

6.0
2017-04-28 CVE-2016-8587 Trendmicro Improper Access Control vulnerability in Trendmicro Threat Discovery Appliance

dlp_policy_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via an archive file containing a symlink to /eng_ptn_stores/prod/sensorSDK/data/ or /eng_ptn_stores/prod/sensorSDK/backup_pol/.

6.0
2017-04-28 CVE-2017-2120 Wbce SQL Injection vulnerability in Wbce CMS

SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.

6.0
2017-04-24 CVE-2017-3600 Oracle
Redhat
Debian
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump).
6.0
2017-04-24 CVE-2017-3523 Oracle Remote Security vulnerability in Oracle Connector/J 5.1.40

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J).

6.0
2017-04-25 CVE-2017-3345 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface).

5.8
2017-04-24 CVE-2017-3591 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Catalog Mover).

5.8
2017-04-24 CVE-2017-3583 Oracle Remote Security vulnerability in Oracle Primavera Products

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access).

5.8
2017-04-24 CVE-2017-3579 Oracle Remote Security vulnerability in Oracle Primavera Products

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access).

5.8
2017-04-24 CVE-2017-3537 Oracle Remote Security vulnerability in Oracle Real-Time Scheduler 2.2.0.3.13/2.3.0.0/2.3.0.1

Vulnerability in the Oracle Real-Time Scheduler component of Oracle Utilities Applications (subcomponent: Mobile Communications Platform).

5.8
2017-04-24 CVE-2017-3532 Oracle Remote Security vulnerability in Oracle Retail Warehouse Management System 13.2/14.0/15.0

Vulnerability in the Oracle Retail Warehouse Management System component of Oracle Retail Applications (subcomponent: Security).

5.8
2017-04-24 CVE-2017-3528 Oracle Open Redirect vulnerability in Oracle Applications Framework

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (lists of values, datepicker, etc.)).

5.8
2017-04-24 CVE-2017-3515 Oracle Remote Security vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle User Management component of Oracle E-Business Suite (subcomponent: User Name/Password Management).

5.8
2017-04-24 CVE-2017-3501 Oracle Remote Security vulnerability in Oracle Primavera Unifier

Vulnerability in the Primavera Unifier component of Oracle Primavera Products Suite (subcomponent: Platform).

5.8
2017-04-24 CVE-2017-3496 Oracle Remote Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Infrastructure).

5.8
2017-04-24 CVE-2017-8099 Browserweb INC Cross-Site Request Forgery (CSRF) vulnerability in Browserweb INC Whizz

There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing attackers to delete any WordPress users and change the plugin's status via a GET request.

5.8
2017-04-24 CVE-2017-5042 Google
Redhat
Debian
Missing Encryption of Sensitive Data vulnerability in multiple products

Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android sent cookies to sites discovered via SSDP, which allowed an attacker on the local network segment to initiate connections to arbitrary URLs and observe any plaintext cookies sent.

5.7
2017-04-24 CVE-2017-3586 Oracle Remote Security vulnerability in Oracle Mysql Connectors 2.1.0/2.1.8

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J).

5.5
2017-04-24 CVE-2017-3522 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise SCM Esupplier Connection 9.2

Vulnerability in the PeopleSoft Enterprise SCM eSupplier Connection component of Oracle PeopleSoft Products (subcomponent: Vendor).

5.5
2017-04-24 CVE-2017-3521 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise SCM Purchasing 9.2

Vulnerability in the PeopleSoft Enterprise SCM Purchasing component of Oracle PeopleSoft Products (subcomponent: Supplier Registration).

5.5
2017-04-24 CVE-2017-3510 Oracle Remote Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones virtualized NIC driver).

5.5
2017-04-24 CVE-2017-3493 Oracle Remote Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Infrastructure).

5.5
2017-04-24 CVE-2017-3492 Oracle Remote Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Infrastructure).

5.5
2017-04-24 CVE-2017-3489 Oracle Remote Security vulnerability in Oracle FLEXCUBE Investor Servicing

Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Security Management System).

5.5
2017-04-24 CVE-2017-3484 Oracle Remote Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Limits and Collateral).

5.5
2017-04-24 CVE-2017-3479 Oracle Remote Security vulnerability in Oracle FLEXCUBE Private Banking

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

5.5
2017-04-24 CVE-2017-3478 Oracle Remote Security vulnerability in Oracle Flexcube Private Banking 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

5.5
2017-04-24 CVE-2017-3455 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

5.5
2017-04-24 CVE-2017-3454 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB).

5.5
2017-04-24 CVE-2017-3304 Oracle Remote Security vulnerability in Oracle MySQL Cluster

Vulnerability in the MySQL Cluster component of Oracle MySQL (subcomponent: Cluster: DD).

5.5
2017-04-24 CVE-2017-3288 Oracle Remote Security vulnerability in Oracle FLEXCUBE Investor Servicing

Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Unit Trust).

5.5
2017-04-28 CVE-2017-2127 YOP Poll Cross-site Scripting vulnerability in Yop-Poll YOP Poll

Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

5.4
2017-04-28 CVE-2017-2152 Buffalo INC OS Command Injection vulnerability in Buffalo INC Wnc01Wh Firmware

WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to execute arbitrary OS commands via unspecified vectors.

5.2
2017-04-24 CVE-2017-3580 Oracle Remote Security vulnerability in Oracle SUN ZFS Storage Appliance KIT Ak2013

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: RAS subsystems).

5.1
2017-04-24 CVE-2017-3514 Oracle Remote Security vulnerability in Oracle Jdk, JRE and Jrockit

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT).

5.1
2017-04-24 CVE-2017-3512 Oracle
Redhat
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT).
5.1
2017-04-29 CVE-2017-7957 Xstream Project
Debian
Improper Input Validation vulnerability in multiple products

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.

5.0
2017-04-29 CVE-2017-7945 Paloaltonetworks Information Exposure Through an Error Message vulnerability in Paloaltonetworks Pan-Os

The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests, aka PAN-SA-2017-0014 and PAN-72769.

5.0
2017-04-28 CVE-2017-2153 Seil Improper Input Validation vulnerability in Seil products

SEIL/x86 Fuji 1.70 to 5.62, SEIL/BPV4 5.00 to 5.62, SEIL/X1 1.30 to 5.62, SEIL/X2 1.30 to 5.62, SEIL/B1 1.00 to 5.62 allows remote attackers to cause a denial of service via specially crafted IPv4 UDP packets.

5.0
2017-04-28 CVE-2017-2150 Booking Calendar Project Path Traversal vulnerability in Booking Calendar Project Booking Calendar

Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attackers to read arbitrary files via specially crafted captcha_chalange parameter.

5.0
2017-04-28 CVE-2017-2143 Frogman Office INC Forced Browsing vulnerability in Frogman Office INC products

CS-Cart Japanese Edition v4.3.10-jp-1 and earlier, CS-Cart Multivendor Japanese Edition v4.3.10-jp-1 and earlier allows remote attackers to bypass access restriction to create a request to return a customer purchased item via rma.post.php.

5.0
2017-04-28 CVE-2017-2139 Frogman Office INC Forced Browsing vulnerability in Frogman Office INC Cs-Cart

CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to bypass access restriction to obtain customer information via orders.pre.php.

5.0
2017-04-28 CVE-2017-2119 Wbce Path Traversal vulnerability in Wbce CMS

Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to read arbitrary files via unspecified vectors.

5.0
2017-04-27 CVE-2017-8308 Avast Improper Privilege Management vulnerability in Avast Antivirus

In Avast Antivirus before v17, an unprivileged user (and thus malware or a virus) can mark an arbitrary process as Trusted from the perspective of the Avast product.

5.0
2017-04-27 CVE-2017-8296 KED Password Manager Project Insufficiently Protected Credentials vulnerability in KED Password Manager Project KED Password Manager 0.5/1.0

kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext.

5.0
2017-04-27 CVE-2017-8294 Virustotal Out-of-bounds Read vulnerability in Virustotal Yara 3.5.0

libyara/re.c in the regex component in YARA 3.5.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted rule that is mishandled in the yr_re_exec function.

5.0
2017-04-27 CVE-2017-7415 Atlassian Information Exposure vulnerability in Atlassian Confluence Server

Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypass authentication and read any blog or page via the drafts diff REST resource.

5.0
2017-04-26 CVE-2017-6054 Hyundaiusa Use of Hard-coded Credentials vulnerability in Hyundaiusa Blue Link 3.9.4/3.9.5

A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4.

5.0
2017-04-25 CVE-2017-8223 Wificam Improper Authentication vulnerability in Wificam Wireless IP Camera (P2P) Firmware

On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0.

5.0
2017-04-25 CVE-2017-8222 Wificam Insufficiently Protected Credentials vulnerability in Wificam Wireless IP Camera (P2P) Firmware

Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.

5.0
2017-04-25 CVE-2017-8221 Wificam Missing Encryption of Sensitive Data vulnerability in Wificam Wireless IP Camera (P2P) Firmware

Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.

5.0
2017-04-25 CVE-2017-8217 TP Link Missing Authorization vulnerability in Tp-Link C20I Firmware and C2 Firmware

TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n have too permissive iptables rules, e.g., SNMP is not blocked on any interface.

5.0
2017-04-25 CVE-2017-8115 Modx Path Traversal vulnerability in Modx Revolution 2.5.7

Directory traversal in setup/processors/url_search.php (aka the search page of an unused processor) in MODX Revolution 2.5.7 might allow remote attackers to obtain system directory information.

5.0
2017-04-25 CVE-2017-8057 Joomla Information Exposure vulnerability in Joomla Joomla!

In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused full path disclosures on systems with enabled error reporting.

5.0
2017-04-25 CVE-2017-7988 Joomla Security Bypass vulnerability in Joomla!

In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of form contents allows overwriting the author of an article.

5.0
2017-04-25 CVE-2017-7983 Joomla Information Exposure vulnerability in Joomla Joomla!

In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers.

5.0
2017-04-24 CVE-2017-3621 Oracle Remote Security vulnerability in Oracle SUN ZFS Storage Appliance KIT Ak2013

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: IPC Frameworks).

5.0
2017-04-24 CVE-2017-3585 Oracle Remote Security vulnerability in Oracle SUN ZFS Storage Appliance KIT Ak2013

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: User Interface subsystem).

5.0
2017-04-24 CVE-2017-3572 Oracle Security vulnerability in Oracle Commerce Guided Search and Commerce Experience Manager

Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce Experience Manager component of Oracle Commerce (subcomponent: MDEX).

5.0
2017-04-24 CVE-2017-3556 Oracle Information Exposure vulnerability in Oracle Application Object Library

Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: File Management).

5.0
2017-04-24 CVE-2017-3555 Oracle Allocation of Resources Without Limits or Throttling vulnerability in Oracle Ireceivables

Vulnerability in the Oracle iReceivables component of Oracle E-Business Suite (subcomponent: Self Registration).

5.0
2017-04-24 CVE-2017-3527 Oracle Information Exposure vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Fluid Core).

5.0
2017-04-24 CVE-2017-3518 Oracle Remote Security vulnerability in Oracle Enterprise Manager Base Platform 12.1.0/13.1.0/13.2.0

Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: Discovery Framework).

5.0
2017-04-24 CVE-2017-3502 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise FIN Receivables 9.2

Vulnerability in the PeopleSoft Enterprise FIN Receivables component of Oracle PeopleSoft Products (subcomponent: Receivables).

5.0
2017-04-24 CVE-2017-3470 Oracle Remote Security vulnerability in Oracle Communications Security Gateway 3.0.0

Vulnerability in the Oracle Communications Security Gateway component of Oracle Communications Applications (subcomponent: Network).

5.0
2017-04-24 CVE-2017-3450 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached).

5.0
2017-04-24 CVE-2017-3329 Oracle
Debian
Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Thread Pooling).

5.0
2017-04-24 CVE-2017-8104 Mybb Path Traversal vulnerability in Mybb

In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.

5.0
2017-04-24 CVE-2017-1000361 Opendaylight Unspecified vulnerability in Opendaylight 3.3/4.0

DOMRpcImplementationNotAvailableException when sending Port-Status packets to OpenDaylight.

5.0
2017-04-24 CVE-2017-1000360 Opendaylight NULL Pointer Dereference vulnerability in Opendaylight 3.3/4.0

StreamCorruptedException and NullPointerException in OpenDaylight odl-mdsal-xsql.

5.0
2017-04-24 CVE-2017-1000359 Opendaylight Resource Exhaustion vulnerability in Opendaylight 3.3/4.0

Java out of memory error and significant increase in resource consumption.

5.0
2017-04-24 CVE-2017-1000357 Opendaylight Resource Exhaustion vulnerability in Opendaylight 3.3/4.0

Denial of Service attack when the switch rejects to receive packets from the controller.

5.0
2017-04-24 CVE-2017-2340 Juniper Improper Input Validation vulnerability in Juniper Junos 15.1/16.1

On Juniper Networks Junos OS 15.1 releases from 15.1R3 to 15.1R4, 16.1 prior to 16.1R3, on M/MX platforms where Enhanced Subscriber Management for DHCPv6 subscribers is configured, a vulnerability in processing IPv6 ND packets originating from subscribers and destined to M/MX series routers can result in a PFE (Packet Forwarding Engine) hang or crash.

5.0
2017-04-24 CVE-2017-2324 Juniper Command Injection vulnerability in Juniper Northstar Controller

A command injection vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to cause a denial of service condition.

5.0
2017-04-24 CVE-2017-2323 Juniper Denial of Service vulnerability in Juniper NorthStar Controller Application

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious attacker crafting packets destined to the device to cause a persistent denial of service to the path computation server service.

5.0
2017-04-24 CVE-2017-2313 Juniper Improper Input Validation vulnerability in Juniper Junos

Juniper Networks devices running affected Junos OS versions may be impacted by the receipt of a crafted BGP UPDATE which can lead to an rpd (routing process daemon) crash and restart.

5.0
2017-04-24 CVE-2015-1522 BRO Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in BRO

analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not reject certain non-zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-read) via a crafted DNP3 packet.

5.0
2017-04-24 CVE-2015-1521 BRO Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in BRO

analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not properly handle zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-read if NDEBUG; otherwise assertion failure) via a crafted DNP3 packet.

5.0
2017-04-30 CVE-2017-8339 Watchguard Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Watchguard Panda Antivirus 18.0

PSKMAD.sys in Panda Free Antivirus 18.0 allows local users to cause a denial of service (BSoD) via a crafted DeviceIoControl request to \\.\PSMEMDriver.

4.9
2017-04-28 CVE-2016-7815 Cybozu Improper Certificate Validation vulnerability in Cybozu Remote Service Manager

Remote Service Manager 3.0.0 to 3.1.4 fails to verify client certificates, which may allow remote attackers to gain access to systems on the network.

4.9
2017-04-24 CVE-2017-8106 Linux NULL Pointer Dereference vulnerability in Linux Kernel

The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer.

4.9
2017-04-24 CVE-2017-3619 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

4.9
2017-04-24 CVE-2017-3536 Oracle Remote Security vulnerability in Oracle PeopleSoft Enterprise Peopletools 8.54/8.55

Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Security).

4.9
2017-04-24 CVE-2017-3500 Oracle Remote Security vulnerability in Oracle Primavera Gateway

Vulnerability in the Primavera Gateway component of Oracle Primavera Products Suite (subcomponent: Primavera Desktop Integration).

4.9
2017-04-24 CVE-2017-3485 Oracle Remote Security vulnerability in Oracle FLEXCUBE Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure).

4.9
2017-04-24 CVE-2017-3483 Oracle Local Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Limits and Collateral).

4.9
2017-04-24 CVE-2017-3482 Oracle Remote Security vulnerability in Oracle FLEXCUBE Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure).

4.9
2017-04-24 CVE-2017-3477 Oracle Remote Security vulnerability in Oracle Flexcube Private Banking 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

4.9
2017-04-24 CVE-2017-3451 Oracle Remote Security vulnerability in Oracle Retail Open Commerce Platform

Vulnerability in the Oracle Retail Open Commerce Platform component of Oracle Retail Applications (subcomponent: Web).

4.9
2017-04-24 CVE-2017-3232 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

4.9
2017-04-24 CVE-2010-1776 Apple 7PK - Security Features vulnerability in Apple Iphone OS

Find My iPhone on iOS 2.0 through 3.1.3 for iPhone 3G and later and iOS 2.1 through 3.1.3 for iPod touch (2nd generation) and later, when Find My iPhone is disabled, allows remote authenticated users with an associated MobileMe account to wipe the device.

4.9
2017-04-24 CVE-2017-2330 Juniper Excessive Iteration vulnerability in Juniper Northstar Controller

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, local user, to create a fork bomb scenario, also known as a rabbit virus, or wabbit, which will create processes that replicate themselves, until all resources are consumed on the system, leading to a denial of service to the entire system until it is restarted.

4.9
2017-04-24 CVE-2017-2327 Juniper Resource Exhaustion vulnerability in Juniper Northstar Controller

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to consume large amounts of system resources leading to a cascading denial of services.

4.9
2017-04-24 CVE-2010-5329 Linux Resource Management Errors vulnerability in Linux Kernel

The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value.

4.9
2017-04-30 CVE-2017-8367 Ether Software Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ether Software products

Buffer overflow in Ether Software Easy MOV Converter 1.4.24, Easy DVD Creator, Easy MPEG/AVI/DIVX/WMV/RM to DVD, Easy Avi/Divx/Xvid to DVD Burner, Easy MPEG to DVD Burner, Easy WMV/ASF/ASX to DVD Burner, Easy RM RMVB to DVD Burner, Easy CD DVD Copy, MP3/AVI/MPEG/WMV/RM to Audio CD Burner, MP3/WAV/OGG/WMA/AC3 to CD Burner, MP3 WAV to CD Burner, My Video Converter, Easy AVI DivX Converter, Easy Video to iPod Converter, Easy Video to PSP Converter, Easy Video to 3GP Converter, Easy Video to MP4 Converter, and Easy Video to iPod/MP4/PSP/3GP Converter allows local attackers to cause a denial of service (SEH overwrite) or possibly have unspecified other impact via a long username.

4.6
2017-04-28 CVE-2017-6250 Nvidia Local Code Execution vulnerability in NVIDIA GeForce Experience

NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper.exe, where untrusted script execution may lead to violation of application execution policy and local code execution.

4.6
2017-04-26 CVE-2017-1170 IBM Local Session Hijacking vulnerability in IBM WebSphere Commerce

IBM WebSphere Commerce Enterprise, Professional, Express, and Developer 8.0 could allow a local user to hijack a user's session.

4.6
2017-04-26 CVE-2017-7720 Privatetunnel Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Privatetunnel 2.7/2.8

Buffer overflow in PrivateTunnel 2.7 and 2.8 allows local attackers to cause a denial of service (SEH overwrite) or possibly have unspecified other impact via a long password.

4.6
2017-04-24 CVE-2017-3620 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

4.6
2017-04-24 CVE-2017-3582 Oracle Local Security vulnerability in Oracle SuperCluster Specific Software 2.3.13/2.3.8

Vulnerability in the Oracle SuperCluster Specific Software component of Oracle Sun Systems Products Suite (subcomponent: Backup/Restore Utility).

4.6
2017-04-24 CVE-2017-3581 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

4.6
2017-04-24 CVE-2017-3578 Oracle Local Security vulnerability in Oracle SUN ZFS Storage Appliance KIT Software 2013

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: RAS subsystems).

4.6
2017-04-24 CVE-2017-3576 Oracle Local Security vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2017-04-24 CVE-2017-3563 Oracle Improper Certificate Validation vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2017-04-24 CVE-2017-3561 Oracle Local Security vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2017-04-24 CVE-2017-3558 Oracle Local Security vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.6
2017-04-24 CVE-2007-6761 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel

drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6.24 does not initialize videobuf_mapping data structures, which allows local users to trigger an incorrect count value and videobuf leak via unspecified vectors, a different vulnerability than CVE-2010-5321.

4.6
2017-04-24 CVE-2017-3606 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

4.4
2017-04-24 CVE-2017-3584 Oracle Local Security vulnerability in Oracle SUN ZFS Storage Appliance KIT Ak2013

Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: RAS subsystems).

4.4
2017-04-30 CVE-2017-8365 Libsndfile Project
Debian
Out-of-bounds Read vulnerability in multiple products

The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file.

4.3
2017-04-30 CVE-2017-8363 Libsndfile Project
Debian
Out-of-bounds Read vulnerability in multiple products

The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file.

4.3
2017-04-30 CVE-2017-8362 Libsndfile Project
Debian
Out-of-bounds Read vulnerability in multiple products

The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file.

4.3
2017-04-30 CVE-2017-8357 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8356 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8355 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8354 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8353 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8352 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8351 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8350 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8349 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8348 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8347 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8346 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8345 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8344 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8343 Imagemagick
Debian
Missing Release of Resource after Effective Lifetime vulnerability in multiple products

In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file.

4.3
2017-04-30 CVE-2017-8342 Radicale Race Condition vulnerability in Radicale

Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method.

4.3
2017-04-28 CVE-2017-2151 Booking Calendar Project Cross-site Scripting vulnerability in Booking Calendar Project Booking Calendar

Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-04-28 CVE-2017-2147 WP Statistics Cross-site Scripting vulnerability in Wp-Statistics WP Statistics

Cross-site scripting vulnerability in WP Statistics version 12.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-04-28 CVE-2017-2137 Netgear Unspecified vulnerability in Netgear Prosafe Plus Configuration Utility

ProSAFE Plus Configuration Utility prior to 2.3.29 allows remote attackers to bypass access restriction and change configurations of the switch via SOAP requests.

4.3
2017-04-28 CVE-2017-2136 WP Statistics Cross-site Scripting vulnerability in WP Statistics WP Statistics

Cross-site scripting vulnerability in WP Statistics version 12.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers.

4.3
2017-04-28 CVE-2017-2135 WP Statistics Cross-site Scripting vulnerability in Wp-Statistics WP Statistics

Cross-site scripting vulnerability in WP Statistics version 12.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-04-28 CVE-2017-2134 Uchida Cross-site Scripting vulnerability in Uchida Assetbase 8.0

Cross-site scripting vulnerability in ASSETBASE 8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-04-28 CVE-2017-2124 Onethird Cross-site Scripting vulnerability in Onethird CMS

Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door and earlier allows remote attackers to inject arbitrary web script or HTML via contact.php.

4.3
2017-04-28 CVE-2017-2123 Onethird Cross-site Scripting vulnerability in Onethird CMS

Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door and earlier allows remote attackers to inject arbitrary web script or HTML via language.php.

4.3
2017-04-28 CVE-2017-2118 Wbce Cross-site Scripting vulnerability in Wbce CMS

Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-04-28 CVE-2017-2111 Iodata CRLF Injection vulnerability in Iodata products

HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier may allow a remote attackers to display false information.

4.3
2017-04-28 CVE-2017-2110 Nissan Securities Improper Certificate Validation vulnerability in Nissan Securities Access CX

The Access CX App for Android prior to 2.0.0.1 and for iOS prior to 2.0.2 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

4.3
2017-04-28 CVE-2017-2106 Webmin Cross-site Scripting vulnerability in Webmin

Multiple cross-site scripting vulnerabilities in Webmin versions prior to 1.830 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2017-04-28 CVE-2017-2105 Presentcast INC Information Exposure vulnerability in Presentcast INC Tver

The TVer App for Android 3.2.7 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

4.3
2017-04-28 CVE-2017-2104 K Opticom Corporation Information Exposure vulnerability in K-Opticom Corporation Business Lala Call

The Business LaLa Call App for Android 1.4.7 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

4.3
2017-04-28 CVE-2017-2103 K Opticom Corporation Information Exposure vulnerability in K-Opticom Corporation Lala Call

The LaLa Call App for Android 2.4.7 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

4.3
2017-04-28 CVE-2017-2093 Cybozu Information Exposure vulnerability in Cybozu Garoon

Cybozu Garoon 3.0.0 to 4.2.3 allow remote attackers to obtain tokens used for CSRF protection via unspecified vectors.

4.3
2017-04-28 CVE-2016-7843 Hibara Software Path Traversal vulnerability in Hibara Software products

Directory traversal vulnerability in AttacheCase for Java 0.60 and earlier, AttacheCase Lite 1.4.6 and earlier, and AttacheCase Pro 1.5.7 and earlier allows remote attackers to read arbitrary files via specially crafted ATC file.

4.3
2017-04-28 CVE-2016-7842 Hibara Path Traversal vulnerability in Hibara Attachecase

Directory traversal vulnerability in AttacheCase 2.8.2.8 and earlier and 3.2.0.4 and earlier allows remote attackers to read arbitrary files via specially crafted ATC file.

4.3
2017-04-28 CVE-2016-7841 Olive Design Cross-site Scripting vulnerability in Olive Design Olive Diary DX

Cross-site scripting vulnerability in Olive Diary DX allows remote attackers to inject arbitrary web script or HTML via the page parameter.

4.3
2017-04-28 CVE-2016-7840 Olive Design Cross-site Scripting vulnerability in Olive Design Olive Blog

Cross-site scripting vulnerability in WEB SCHEDULE allows remote attackers to inject arbitrary web script or HTML via the month parameter.

4.3
2017-04-28 CVE-2016-7839 Olive Design Cross-site Scripting vulnerability in Olive Design Olive Blog

Cross-site scripting vulnerability in Olive Blog allows remote attackers to inject arbitrary web script or HTML via the search parameter.

4.3
2017-04-27 CVE-2017-3008 Adobe Cross-site Scripting vulnerability in Adobe Coldfusion 10.0/11.0/2016

Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a reflected cross-site scripting vulnerability.

4.3
2017-04-26 CVE-2016-8962 IBM Credentials Management vulnerability in IBM Bigfix Inventory 9.0/9.2

IBM BigFix Inventory 9.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

4.3
2017-04-26 CVE-2016-8924 IBM Cross-site Scripting vulnerability in IBM Maximo Asset Management 7.1/7.5/7.6

IBM Maximo Asset Management 7.1, 7.5 and 7.6 could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier.

4.3
2017-04-26 CVE-2017-6052 Hyundaiusa Multiple Security vulnerability in Hyundaiusa Blue Link 3.9.4/3.9.5

A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4.

4.3
2017-04-25 CVE-2017-7987 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.

4.3
2017-04-25 CVE-2017-7986 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components.

4.3
2017-04-25 CVE-2017-7985 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.

4.3
2017-04-25 CVE-2017-7984 Joomla Cross-site Scripting vulnerability in Joomla Joomla!

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.

4.3
2017-04-25 CVE-2016-8030 Mcafee Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mcafee Virusscan Enterprise 8.8

A memory corruption vulnerability in Scriptscan COM Object in McAfee VirusScan Enterprise 8.8 Patch 8 and earlier allows remote attackers to create a Denial of Service on the active Internet Explorer tab via a crafted HTML link.

4.3
2017-04-24 CVE-2017-5046 Google
Redhat
Debian
V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android had insufficient policy enforcement, which allowed a remote attacker to spoof the location object via a crafted HTML page, related to Blink information disclosure.
4.3
2017-04-24 CVE-2017-5041 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome prior to 57.0.2987.100 incorrectly handled back-forward navigation, which allowed a remote attacker to display incorrect information for a site via a crafted HTML page.

4.3
2017-04-24 CVE-2017-5040 Google
Debian
Redhat
V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android was missing a neutering check, which allowed a remote attacker to read values in memory via a crafted HTML page.
4.3
2017-04-24 CVE-2017-5033 Google
Debian
Redhat
Improper Preservation of Permissions vulnerability in multiple products

Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.

4.3
2017-04-24 CVE-2017-3559 Oracle Local Security vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

4.3
2017-04-24 CVE-2017-3544 Oracle
Redhat
Debian
Google
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking).
4.3
2017-04-24 CVE-2017-3535 Oracle Remote Security vulnerability in Oracle FLEXCUBE Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure).

4.3
2017-04-24 CVE-2017-3533 Oracle
Redhat
Debian
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking).
4.3
2017-04-24 CVE-2017-3495 Oracle Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.2/12.0.3

Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracle Financial Services Applications (subcomponent: Pre-Login).

4.3
2017-04-24 CVE-2017-3494 Oracle Remote Security vulnerability in Oracle FLEXCUBE Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Retail Teller).

4.3
2017-04-24 CVE-2017-3480 Oracle Remote Security vulnerability in Oracle Flexcube Universal Banking 11.3.0/11.4.0/12.0.1

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure).

4.3
2017-04-24 CVE-2017-3471 Oracle Remote Security vulnerability in Oracle Flexcube Private Banking 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

4.3
2017-04-24 CVE-2017-3469 Oracle Remote Security vulnerability in Oracle MySQL Workbench

Vulnerability in the MySQL Workbench component of Oracle MySQL (subcomponent: Workbench: Security : Encryption).

4.3
2017-04-24 CVE-2017-3467 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: C API).

4.3
2017-04-24 CVE-2016-5016 Pivotal Software Improper Certificate Validation vulnerability in Pivotal Software products

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.

4.3
2017-04-24 CVE-2017-8103 Mybb Cross-site Scripting vulnerability in Mybb

In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.

4.3
2017-04-24 CVE-2017-8100 Artistscope Cross-Site Request Forgery (CSRF) vulnerability in Artistscope Copysafe web Protection

There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings.

4.3
2017-04-24 CVE-2017-8098 E107 Cross-Site Request Forgery (CSRF) vulnerability in E107 2.1.4

e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing.

4.3
2017-04-24 CVE-2017-7723 WP Ecommerce Cross-site Scripting vulnerability in Wp-Ecommerce Easy WP Smtp

XSS exists in Easy WP SMTP (before 1.2.5), a WordPress Plugin, via the e-mail subject or body.

4.3
2017-04-24 CVE-2016-3076 Python Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Python Pillow

Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file.

4.3
2017-04-24 CVE-2017-2334 Juniper Information Exposure vulnerability in Juniper Northstar Controller

An information leak vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to perform a man-in-the-middle attack, thereby stealing authentic credentials from encrypted paths which are easily decrypted, and subsequently gain complete control of the system.

4.3
2017-04-24 CVE-2017-8085 Exponentcms Cross-site Scripting vulnerability in Exponentcms Exponent CMS 2.3.0/2.3.1

In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.

4.3
2017-04-24 CVE-2017-7944 Xoops Cross-site Scripting vulnerability in Xoops 2.5.8.1

XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.

4.3
2017-04-24 CVE-2017-8082 Concretecms Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS 8.1.0

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI.

4.3
2017-04-24 CVE-2010-5321 Linux Missing Release of Resource after Effective Lifetime vulnerability in Linux Kernel

Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761.

4.3
2017-04-24 CVE-2017-3565 Oracle Local Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: RBAC).

4.1
2017-04-30 CVE-2017-8371 Schneider Electric Insufficiently Protected Credentials vulnerability in Schneider-Electric Struxureware Data Center Expert 7.3.1

Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.

4.0
2017-04-29 CVE-2017-7644 Paloaltonetworks Information Exposure vulnerability in Paloaltonetworks Pan-Os

The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, and 7.1.x before 7.1.9 allows remote authenticated users to obtain sensitive information by leveraging incorrect permission validation, aka PAN-SA-2017-0013 and PAN-70541.

4.0
2017-04-28 CVE-2017-1141 IBM Information Exposure vulnerability in IBM Insights Foundation FOR Energy 1.0/1.5/1.6

IBM Insights Foundation for Energy 1.0, 1.5, and 1.6 could allow an authenticated user to obtain sensitive information from error messages.

4.0
2017-04-28 CVE-2017-2117 Cubecart Path Traversal vulnerability in Cubecart

Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors.

4.0
2017-04-28 CVE-2017-2116 Cybozu Unspecified vulnerability in Cybozu Office

Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to bypass access restriction to delete "customapp" templates via unspecified vectors.

4.0
2017-04-28 CVE-2017-2115 Cybozu Incorrect Permission Assignment for Critical Resource vulnerability in Cybozu Office

Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to bypass access restriction to obtain "customapp" information via unspecified vectors.

4.0
2017-04-28 CVE-2017-2098 Cubecart Path Traversal vulnerability in Cubecart

Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

4.0
2017-04-28 CVE-2017-2095 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in the mail function leading to an alteration of the order of mail folders via unspecified vectors.

4.0
2017-04-28 CVE-2017-2094 Cybozu Improper Privilege Management vulnerability in Cybozu Garoon

Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Workflow and the "MultiReport" function to alter or delete information via unspecified vectors.

4.0
2017-04-28 CVE-2017-2091 Cybozu Multiple Security vulnerability in Cybozu Garoon

Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to bypass access restriction in Phone Messages function to alter the status of phone messages via unspecified vectors.

4.0
2017-04-28 CVE-2017-2090 Cubecart Path Traversal vulnerability in Cubecart

Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors.

4.0
2017-04-25 CVE-2017-8219 TP Link Improper Input Validation vulnerability in Tp-Link C20I Firmware and C2 Firmware

TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow DoSing the HTTP server via a crafted Cookie header to the /cgi/ansi URI.

4.0
2017-04-25 CVE-2017-7989 Joomla Unrestricted Upload of File with Dangerous Type vulnerability in Joomla Joomla!

In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.

4.0
2017-04-24 CVE-2017-3560 Oracle Information Exposure vulnerability in Oracle Hospitality Opera 5 Property Services

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OXI Interface).

4.0
2017-04-24 CVE-2017-3509 Oracle Remote Security vulnerability in Oracle JDK and JRE

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking).

4.0
2017-04-24 CVE-2017-3491 Oracle Remote Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.1/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Limits and Collateral).

4.0
2017-04-24 CVE-2017-3488 Oracle Remote Security vulnerability in Oracle FLEXCUBE Investor Servicing

Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Unit Trust).

4.0
2017-04-24 CVE-2017-3481 Oracle Remote Security vulnerability in Oracle Flexcube Universal Banking 11.3.0/11.4.0/12.0.1

Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure).

4.0
2017-04-24 CVE-2017-3475 Oracle Remote Security vulnerability in Oracle FLEXCUBE Private Banking

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

4.0
2017-04-24 CVE-2017-3473 Oracle Remote Security vulnerability in Oracle FLEXCUBE Private Banking

Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous).

4.0
2017-04-24 CVE-2017-3465 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2017-04-24 CVE-2017-3464 Oracle
Debian
Redhat
Mariadb
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL).
4.0
2017-04-24 CVE-2017-3463 Oracle
Debian
Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2017-04-24 CVE-2017-3462 Oracle
Debian
Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2017-04-24 CVE-2017-3461 Oracle
Debian
Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges).

4.0
2017-04-24 CVE-2017-3460 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Audit Plug-in).

4.0
2017-04-24 CVE-2017-3459 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2017-04-24 CVE-2017-3458 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML).

4.0
2017-04-24 CVE-2017-3457 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML).

4.0
2017-04-24 CVE-2017-3456 Oracle
Debian
Mariadb
Redhat
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML).
4.0
2017-04-24 CVE-2017-3453 Oracle
Debian
Mariadb
Redhat
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
4.0
2017-04-24 CVE-2017-3452 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).

4.0
2017-04-24 CVE-2017-3331 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML).

4.0
2017-04-24 CVE-2017-3309 Oracle
Debian
Mariadb
Redhat
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer).
4.0
2017-04-24 CVE-2017-3308 Oracle
Debian
Mariadb
Redhat
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML).
4.0
2017-04-24 CVE-2016-3114 Kallithea Permissions, Privileges, and Access Controls vulnerability in Kallithea 0.3.1

Kallithea before 0.3.2 allows remote authenticated users to edit or delete open pull requests or delete comments by leveraging read access.

4.0
2017-04-24 CVE-2017-1000358 Opendaylight NULL Pointer Dereference vulnerability in Opendaylight 4.0

Controller throws an exception and does not allow user to add subsequent flow for a particular switch.

4.0
2017-04-24 CVE-2017-2333 Juniper Resource Exhaustion vulnerability in Juniper Northstar Controller

A persistent denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious, network-based, authenticated attacker to consume enough system resources to cause a persistent denial of service by visiting certain specific URLs on the server.

4.0
2017-04-24 CVE-2017-2325 Juniper Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Juniper Northstar Controller

A buffer overflow vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to cause a buffer overflow leading to a denial of service.

4.0
2017-04-24 CVE-2017-2318 Juniper Information Exposure vulnerability in Juniper Northstar Controller

A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to read log files which will compromise the integrity of the system, or provide elevation of privileges.

4.0
2017-04-24 CVE-2015-0107 IBM Path Traversal vulnerability in IBM products

IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to conduct directory traversal attacks via unspecified vectors.

4.0

52 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2017-04-24 CVE-2017-3617 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3616 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3615 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3614 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3613 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3612 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3611 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3610 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3609 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3608 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3607 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3605 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3604 Oracle Unspecified vulnerability in Oracle Berkeley DB

Vulnerability in the Data Store component of Oracle Berkeley DB.

3.7
2017-04-24 CVE-2017-3568 Oracle Local Security vulnerability in Oracle Hospitality OPERA 5 Property Services

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Printing and Login).

3.7
2017-04-24 CVE-2017-3511 Oracle Local Security vulnerability in Oracle Jdk, JRE and Jrockit

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JCE).

3.7
2017-04-24 CVE-2017-3486 Oracle Local Security vulnerability in Oracle SQL Plus 11.2.0.4/12.1.0.2

Vulnerability in the SQL*Plus component of Oracle Database Server.

3.7
2017-04-24 CVE-2017-3618 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

3.6
2017-04-24 CVE-2017-3587 Oracle Double Free Local Memory Corruption vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Shared Folder).

3.6
2017-04-24 CVE-2017-3575 Oracle Local Security vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

3.6
2017-04-24 CVE-2017-3505 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

3.6
2017-04-24 CVE-2017-3504 Oracle Local Security vulnerability in Oracle Automatic Service Request

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager).

3.6
2017-04-24 CVE-2017-3307 Oracle Remote Security vulnerability in Oracle MySQL Enterprise Monitor

Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: Server).

3.6
2017-04-28 CVE-2017-2148 Iodata Cross-site Scripting vulnerability in Iodata Wn-Ac1167Gr Firmware

Cross-site scripting vulnerability in WN-AC1167GR firmware version 1.04 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2017-04-28 CVE-2017-2114 Cybozu Cross-site Scripting vulnerability in Cybozu Office

Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2017-04-28 CVE-2017-2092 Cybozu Cross-site Scripting vulnerability in Cybozu Garoon

Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

3.5
2017-04-27 CVE-2017-8302 Blueriver Cross-site Scripting vulnerability in Blueriver Muracms 7.0.6967

Mura CMS 7.0.6967 allows admin/?muraAction= XSS attacks, related to admin/core/views/carch/list.cfm, admin/core/views/carch/loadsiteflat.cfm, admin/core/views/cusers/inc/dsp_nextn.cfm, admin/core/views/cusers/inc/dsp_search_form.cfm, admin/core/views/cusers/inc/dsp_users_list.cfm, admin/core/views/cusers/list.cfm, and admin/core/views/cusers/listusers.cfm.

3.5
2017-04-27 CVE-2017-8298 Cnvs Cross-site Scripting vulnerability in Cnvs Canvas 3.3.0

cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Posts > Add New" action, and during creation of new tags and users.

3.5
2017-04-24 CVE-2017-3603 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

3.5
2017-04-24 CVE-2017-3598 Oracle Remote Security vulnerability in Oracle WebCenter Sites

Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI).

3.5
2017-04-24 CVE-2017-3567 Oracle Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.2

Vulnerability in the OJVM component of Oracle Database Server.

3.5
2017-04-24 CVE-2017-3552 Oracle Information Exposure vulnerability in Oracle Hospitality Opera 5 Property Services

Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Room Image/Picture Setup).

3.5
2017-04-24 CVE-2017-3490 Oracle Remote Security vulnerability in Oracle Flexcube Enterprise Limits and Collateral Management 12.0.0/12.1.0

Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral Management component of Oracle Financial Services Applications (subcomponent: Limits and Collateral).

3.5
2017-04-24 CVE-2017-3487 Oracle Remote Security vulnerability in Oracle FLEXCUBE Investor Servicing

Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Unit Trust).

3.5
2017-04-24 CVE-2017-3468 Oracle Remote Security vulnerability in Oracle MySQL Server

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption).

3.5
2017-04-24 CVE-2017-8102 S9Y Cross-site Scripting vulnerability in S9Y Serendipity 2.1

Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user.

3.5
2017-04-28 CVE-2017-2109 Cybozu Information Exposure vulnerability in Cybozu Kunai 3.0.4/3.0.5/3.0.5.1

Cybozu KUNAI for Android 3.0.4 to 3.0.5.1 allow remote attackers to obtain log information through a malicious Android application.

2.6
2017-04-27 CVE-2017-8301 Openbsd Improper Certificate Validation vulnerability in Openbsd Libressl 2.5.1/2.5.2/2.5.3

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

2.6
2017-04-24 CVE-2017-3626 Oracle Remote Security vulnerability in Oracle Glassfish Server 3.1.2

Vulnerability in the Oracle GlassFish Server component of Oracle Fusion Middleware (subcomponent: Java Server Faces).

2.6
2017-04-25 CVE-2017-8109 Saltstack Information Exposure vulnerability in Saltstack Salt

The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 copied over configuration from the Salt Master without adjusting permissions, which might leak credentials to local attackers on configured minions (clients).

2.1
2017-04-25 CVE-2017-5625 Oneplus NULL Pointer Dereference vulnerability in Oneplus Oxygenos

In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by issuing the 'fastboot oem dump <partition>' fastboot command.

2.1
2017-04-24 CVE-2017-3590 Oracle Local Security vulnerability in Oracle MySQL Connectors

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python).

2.1
2017-04-24 CVE-2017-3589 Oracle Local Security vulnerability in Oracle Connector/J 5.1.40

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J).

2.1
2017-04-24 CVE-2017-3539 Oracle
Redhat
Debian
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security).
2.1
2017-04-24 CVE-2017-3498 Oracle Information Exposure vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel).

2.1
2017-04-24 CVE-2017-3474 Oracle Local Security vulnerability in Oracle Solaris 11.3

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Zone).

2.1
2017-04-24 CVE-2017-2322 Juniper Resource Exhaustion vulnerability in Juniper Northstar Controller

A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1, may allow an authenticated user to cause widespread denials of service to system services by consuming TCP and UDP ports which are normally reserved for other system services.

2.1
2017-04-24 CVE-2017-2329 Juniper Improper Authentication vulnerability in Juniper Northstar Controller

An insufficient authentication vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, user to execute certain specific unprivileged system files capable of causing widespread denials of system services.

2.1
2017-04-24 CVE-2017-2328 Juniper Information Exposure vulnerability in Juniper Northstar Controller

An information leak vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, user to elevate their permissions through reading unprivileged information stored in the NorthStar controller.

2.1
2017-04-24 CVE-2017-2316 Juniper Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Juniper Northstar Controller

A buffer overflow vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to cause a buffer overflow leading to a denial of service.

2.1
2017-04-24 CVE-2014-9680 Sudo Project Information Exposure vulnerability in Sudo Project Sudo

sudo before 1.8.12 does not ensure that the TZ environment variable is associated with a zoneinfo file, which allows local users to open arbitrary files for read access (but not view file contents) by running a program within an sudo session, as demonstrated by interfering with terminal output, discarding kernel-log messages, or repositioning tape drives.

2.1
2017-04-24 CVE-2017-3513 Oracle Local Security vulnerability in Oracle VM VirtualBox

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core).

1.9
2017-04-24 CVE-2016-5551 Oracle Improper Access Control vulnerability in Oracle Solaris Cluster 4.3

Vulnerability in the Solaris Cluster component of Oracle Sun Systems Products Suite (subcomponent: NAS device addition).

1.9