Weekly Vulnerabilities Reports > June 12 to 18, 2017
Overview
374 new vulnerabilities reported during this period, including 19 critical vulnerabilities and 145 high severity vulnerabilities. This weekly summary report vulnerabilities in 200 products from 90 vendors including Microsoft, Google, Cisco, Meafinancial, and Elastic. Vulnerabilities are notably categorized as "Information Exposure", "Improper Certificate Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", and "Improper Input Validation".
- 220 reported vulnerabilities are remotely exploitables.
- 108 reported vulnerabilities have public exploit available.
- 106 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 255 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 97 reported vulnerabilities.
- Cloudfoundry has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
19 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2017-06-18 | CVE-2017-9741 | Projectsend | Improper Input Validation vulnerability in Projectsend R754 install/make-config.php in ProjectSend r754 allows remote attackers to execute arbitrary PHP code via the dbprefix parameter, related to replacing TABLES_PREFIX in the configuration file. | 9.8 |
2017-06-17 | CVE-2017-9736 | Spip | OS Command Injection vulnerability in Spip SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution. | 9.8 |
2017-06-16 | CVE-2017-9728 | Uclibc | Out-of-bounds Read vulnerability in Uclibc 0.9.33.2 In uClibc 0.9.33.2, there is an out-of-bounds read in the get_subexp function in misc/regex/regexec.c when processing a crafted regular expression. | 9.8 |
2017-06-16 | CVE-2017-9602 | Kbvault Mysql Project | Incorrect Permission Assignment for Critical Resource vulnerability in Kbvault Mysql Project Kbvault Mysql 0.16A KBVault Mysql Free Knowledge Base application package 0.16a comes with a FileExplorer/Explorer.aspx?id=/Uploads file-management component. | 9.8 |
2017-06-15 | CVE-2017-1197 | IBM | Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Bigfix Security Compliance Analytics 1.9.70 IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 9.8 |
2017-06-15 | CVE-2017-8543 | Microsoft | Improper Preservation of Permissions vulnerability in Microsoft products Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to take control of the affected system when Windows Search fails to handle objects in memory, aka "Windows Search Remote Code Execution Vulnerability". | 9.8 |
2017-06-14 | CVE-2017-7676 | Apache | Improper Input Validation vulnerability in Apache Ranger Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '*' wildcard character - like my*test, test*.txt. | 9.8 |
2017-06-14 | CVE-2017-2810 | Python | Unspecified vulnerability in Python Tablib 0.11.4 An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. | 9.8 |
2017-06-13 | CVE-2017-9246 | Newrelic | SQL Injection vulnerability in Newrelic .Net Agent 6.2.26.0 New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism. | 9.8 |
2017-06-13 | CVE-2016-5411 | Redhat | Credentials Management vulnerability in Redhat Quickstart Cloud Installer 0.9 /var/lib/ovirt-engine/setup/engine-DC-config.py in Red Hat QuickStart Cloud Installer (QCI) before 1.0 GA is created world readable and contains the root password of the deployed system. | 9.8 |
2017-06-13 | CVE-2017-6667 | Cisco | Improper Input Validation vulnerability in Cisco Context Service Development KIT 2.0 A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server. | 9.8 |
2017-06-13 | CVE-2017-4992 | Pivotal Software Cloudfoundry | Improper Privilege Management vulnerability in multiple products An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v261; UAA release 2.x versions prior to v2.7.4.17, 3.6.x versions prior to v3.6.11, 3.9.x versions prior to v3.9.13, and other versions prior to v4.2.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.15, 24.x versions prior to v24.10, 30.x versions prior to 30.3, and other versions prior to v37. | 9.8 |
2017-06-13 | CVE-2017-4955 | Pivotal Software | Information Exposure Through Log Files vulnerability in Pivotal Software Cloud Foundry Elastic Runtime An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.65, 1.7.x versions prior to 1.7.48, 1.8.x versions prior to 1.8.28, and 1.9.x versions prior to 1.9.5. | 9.8 |
2017-06-13 | CVE-2017-2773 | Pivotal Software | Improper Input Validation vulnerability in Pivotal Software Cloud Foundry Elastic Runtime An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. | 9.8 |
2017-06-13 | CVE-2016-8218 | Cloudfoundry | Improper Input Validation vulnerability in Cloudfoundry Cf-Release An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. | 9.8 |
2017-06-13 | CVE-2016-6655 | Cloudfoundry | Command Injection vulnerability in Cloudfoundry Cf-Mysql-Release An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and cf-mysql-release versions prior to v31. | 9.8 |
2017-06-12 | CVE-2014-9984 | GNU | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Glibc nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd. | 9.8 |
2017-06-12 | CVE-2017-9544 | Echatserver | Out-of-bounds Write vulnerability in Echatserver Easy Chat Server There is a remote stack-based buffer overflow (SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1. | 9.8 |
2017-06-16 | CVE-2017-9097 | Hoytech | Path Traversal vulnerability in Hoytech Antiweb In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through 3.21.2, WS100 devices through 3.30.5, EC150 devices through 1.40.0, WS200 devices through 3.30.4, EC250 devices through 1.40.0, and other products, an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique, as demonstrated by reading the password file, or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file. | 9.1 |
145 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2017-06-16 | CVE-2016-1000218 | Elastic | Cross-Site Request Forgery (CSRF) vulnerability in Elastic Kibana Reporting 2.4.0 Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. | 8.8 |
2017-06-15 | CVE-2017-9673 | Simplece | Cross-Site Request Forgery (CSRF) vulnerability in Simplece 2.3.0 In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an administrator account (via the index.php/user/new URI) or change its settings (via the index.php/user/1 URI), including its password. | 8.8 |
2017-06-15 | CVE-2017-8528 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, Windows Server 2016, Microsoft Office 2007 SP3, and Microsoft Office 2010 SP2 allows a remote code execution vulnerability due to the way it handles objects in memory, aka "Windows Uniscribe Remote Code Execution Vulnerability". | 8.8 |
2017-06-15 | CVE-2017-8527 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows a remote code execution vulnerability due to the way it handles objects in memory, aka "Windows Graphics Remote Code Execution Vulnerability". | 8.8 |
2017-06-15 | CVE-2017-8512 | Microsoft | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". | 8.8 |
2017-06-15 | CVE-2017-8510 | Microsoft | Unspecified vulnerability in Microsoft Excel, Office and Word A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". | 8.8 |
2017-06-15 | CVE-2017-8509 | Microsoft | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". | 8.8 |
2017-06-15 | CVE-2017-8464 | Microsoft | Unspecified vulnerability in Microsoft products Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. | 8.8 |
2017-06-15 | CVE-2017-0283 | Microsoft | Unspecified vulnerability in Microsoft products Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, Windows Server 2016, Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office Word Viewer, Microsoft Lync 2013 SP1, Skype for Business 2016, Microsoft Silverlight 5 Developer Runtime when installed on Microsoft Windows, and Microsoft Silverlight 5 when installed on Microsoft Windows allows a remote code execution vulnerability due to the way it handles objects in memory, aka "Windows Uniscribe Remote Code Execution Vulnerability". | 8.8 |
2017-06-14 | CVE-2017-8907 | Atlassian | Incorrect Authorization vulnerability in Atlassian Bamboo Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. | 8.8 |
2017-06-13 | CVE-2016-9984 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Maximo Asset Management 7.5/7.6 IBM Maximo Asset Management 7.5 and 7.6 could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator. | 8.8 |
2017-06-13 | CVE-2017-9603 | Intensewp | SQL Injection vulnerability in Intensewp WP Jobs SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordPress allows authenticated users to execute arbitrary SQL commands via the jobid parameter to wp-admin/edit.php. | 8.8 |
2017-06-13 | CVE-2017-9429 | Event List Project | SQL Injection vulnerability in Event List Project Event List 0.7.8 SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php. | 8.8 |
2017-06-13 | CVE-2017-6692 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Ultra Services Framework Element Manager 21.0.V0.65839 A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker to log in to the device with the privileges of the root user, aka an Insecure Default Account Information Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6689 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Elastic Services Controller 2.2(9.76) A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default Administrator Credentials Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6688 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Elastic Services Controller 2.2(9.76) A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6687 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Ultra Services Framework Element Manager 21.0.0 A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in to the affected device using default credentials present on the system, aka an Insecure Default Password Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6686 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Ultra Services Framework Element Manager 21.0.0 A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in as an admin or oper user of the affected device, aka an Insecure Default Credentials Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6685 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Ultra Services Framework Staging Server 21.0.0 A vulnerability in Cisco Ultra Services Framework Staging Server could allow an authenticated, remote attacker with access to the management network to log in as an admin user of the affected device, aka an Insecure Default Credentials Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6684 | Cisco | Insecure Default Initialization of Resource vulnerability in Cisco Elastic Services Controller 21.0.0 A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6683 | Cisco | OS Command Injection vulnerability in Cisco Elastic Services Controller 2.2(9.76) A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system, aka an Authentication Request Processing Arbitrary Command Execution Vulnerability. | 8.8 |
2017-06-13 | CVE-2017-6682 | Cisco | OS Command Injection vulnerability in Cisco Elastic Services Controller 2.2(9.76) A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. | 8.8 |
2017-06-13 | CVE-2017-6659 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Prime Collaboration Assurance 11.5(0)/11.6 A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. | 8.8 |
2017-06-13 | CVE-2017-4973 | Pivotal Software Cloudfoundry | Improper Privilege Management vulnerability in multiple products An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. | 8.8 |
2017-06-13 | CVE-2017-4961 | Cloud Foundry | Improper Validation of Integrity Check Value vulnerability in Cloud Foundry Bosh An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x versions prior to 261.3 and all 260.x versions. | 8.8 |
2017-06-13 | CVE-2017-4959 | Pivotal Software | Unspecified vulnerability in Pivotal Software Cloud Foundry Elastic Runtime An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions prior to 1.8.29 and 1.9.x versions prior to 1.9.7. | 8.8 |
2017-06-12 | CVE-2017-6892 | Libsndfile Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libsndfile Project Libsndfile 1.0.28 In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. | 8.8 |
2017-06-12 | CVE-2017-9418 | Goldplugins | SQL Injection vulnerability in Goldplugins Testimonials Plugin Easy Testimonials 3.4.1 SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php. | 8.8 |
2017-06-12 | CVE-2017-9324 | Otrs Debian | Improper Privilege Management vulnerability in multiple products In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. | 8.8 |
2017-06-14 | CVE-2017-7914 | Rockwellautomation | Missing Authorization vulnerability in Rockwellautomation Panelview Plus 6 700-1500 Firmware A Missing Authorization issue was discovered in Rockwell Automation PanelView Plus 6 700-1500 6.00.04, 6.00.05, 6.00.42, 6.00-20140306, 6.10.20121012, 6.10-20140122, 7.00-20121012, 7.00-20130108, 7.00-20130325, 7.00-20130619, 7.00-20140128, 7.00-20140310, 7.00-20140429, 7.00-20140621, 7.00-20140729, 7.00-20141022, 8.00-20140730, and 8.00-20141023. | 8.6 |
2017-06-16 | CVE-2017-7884 | Apcupsd | Uncontrolled Search Path Element vulnerability in Apcupsd APC UPS Daemon 3.14.14 In Adam Kropelin adk0212 APC UPS Daemon through 3.14.14, the default installation of APCUPSD allows a local authenticated, but unprivileged, user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable that will run with SYSTEM privileges at startup. | 8.4 |
2017-06-13 | CVE-2017-4963 | Pivotal Software | Session Fixation vulnerability in Pivotal Software Cloud Foundry UAA An issue was discovered in Cloud Foundry Foundation Cloud Foundry release v252 and earlier versions, UAA stand-alone release v2.0.0 - v2.7.4.12 & v3.0.0 - v3.11.0, and UAA bosh release v26 & earlier versions. | 8.1 |
2017-06-15 | CVE-2017-8487 | Microsoft | Unspecified vulnerability in Microsoft Windows Server 2003 and Windows XP Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows olecnv32.dll Remote Code Execution Vulnerability." | 7.8 |
2017-06-15 | CVE-2017-8461 | Microsoft | Unspecified vulnerability in Microsoft Windows Server 2003 and Windows XP Windows RPC with Routing and Remote Access enabled in Windows XP and Windows Server 2003 allows an attacker to execute code on a targeted RPC server which has Routing and Remote Access enabled via a specially crafted application, aka "Windows RPC Remote Code Execution Vulnerability." | 7.8 |
2017-06-15 | CVE-2016-10395 | Flexerasoftware | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Flexerasoftware Flexnet Publisher 11.10/11.13.1.0/11.14.1 In FlexNet Publisher versions before Luton SP1 (11.14.1.1) running FlexNet Publisher Licensing Service on Windows platform, a boundary error related to a named pipe within the FlexNet Publisher Licensing Service can be exploited to cause an out-of-bounds memory read access and subsequently execute arbitrary code with SYSTEM privileges. | 7.8 |
2017-06-15 | CVE-2017-9670 | Gnuplot Project | Access of Uninitialized Pointer vulnerability in Gnuplot Project Gnuplot 5.2 An uninitialized stack variable vulnerability in load_tic_series() in set.c in gnuplot 5.2.rc1 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impact when a victim opens a specially crafted file. | 7.8 |
2017-06-15 | CVE-2017-8552 | Microsoft | Improper Preservation of Permissions vulnerability in Microsoft Windows 7 and Windows Server 2008 A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows 8 allows an elevation of privilege when it fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-8513 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Powerpoint and Sharepoint Server A remote code execution vulnerability exists in Microsoft PowerPoint when the software fails to properly handle objects in memory, aka "Microsoft PowerPoint Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-8511 | Microsoft | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-8507 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Outlook A remote code execution vulnerability exists in the way Microsoft Office software parses specially crafted email messages, aka "Microsoft Office Memory Corruption Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-8506 | Microsoft | Unspecified vulnerability in Microsoft Outlook 2010/2013/2016 A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-8468 | Microsoft | Improper Preservation of Permissions vulnerability in Microsoft products Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8465. | 7.8 |
2017-06-15 | CVE-2017-8466 | Microsoft | Improper Preservation of Permissions vulnerability in Microsoft products Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows improper elevation of privilege, aka "Windows Cursor Elevation of Privilege Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-8465 | Microsoft | Improper Preservation of Permissions vulnerability in Microsoft products Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to run processes in an elevated context when the Windows kernel improperly handles objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This CVE ID is unique from CVE-2017-8468. | 7.8 |
2017-06-15 | CVE-2017-0296 | Microsoft | Classic Buffer Overflow vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to elevate privilege when tdx.sys fails to check the length of a buffer prior to copying memory to it, aka "Windows TDX Elevation of Privilege Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-0294 | Microsoft | Unspecified vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to execute remote code when Windows fails to properly handle cabinet files, aka "Windows Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-0292 | Microsoft | Unspecified vulnerability in Microsoft products Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows remote code execution if a user opens a specially crafted PDF file, aka "Windows PDF Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-0291 | Microsoft | Unspecified vulnerability in Microsoft products Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows remote code execution if a user opens a specially crafted PDF file, aka "Windows PDF Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-0260 | Microsoft | Unspecified vulnerability in Microsoft Office, Windows 7 and Windows Server 2008 A remote code execution vulnerability exists in Microsoft Office when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". | 7.8 |
2017-06-15 | CVE-2017-0193 | Microsoft | Improper Handling of Exceptional Conditions vulnerability in Microsoft products Windows Hyper-V in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an attacker to gain elevated privileges on a target guest operating system when Windows Hyper-V instruction emulation fails to properly enforce privilege levels, aka "Hypervisor Code Integrity Elevation of Privilege Vulnerability". | 7.8 |
2017-06-14 | CVE-2017-0663 | Out-of-bounds Write vulnerability in Google Android A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. | 7.8 | |
2017-06-14 | CVE-2017-0648 | Linux | Unspecified vulnerability in Linux Kernel 3.10 An elevation of privilege vulnerability in the kernel FIQ debugger could enable a local malicious application to execute arbitrary code within the context of the kernel. | 7.8 |
2017-06-14 | CVE-2017-0638 | Out-of-bounds Write vulnerability in Google Android 7.1.1/7.1.2 A remote code execution vulnerability in System UI component could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. | 7.8 | |
2017-06-14 | CVE-2017-0637 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android A remote code execution vulnerability in libhevc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. | 7.8 | |
2017-06-13 | CVE-2017-8241 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a WLAN function due to an incorrect message length. | 7.8 | |
2017-06-13 | CVE-2017-8240 | Out-of-bounds Read vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a kernel driver has an off-by-one buffer over-read vulnerability. | 7.8 | |
2017-06-13 | CVE-2017-8238 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a camera function. | 7.8 | |
2017-06-13 | CVE-2017-8237 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists while loading a firmware image. | 7.8 | |
2017-06-13 | CVE-2017-8236 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in an IPA driver. | 7.8 | |
2017-06-13 | CVE-2017-8234 | Out-of-bounds Read vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an out of bounds access can potentially occur in a camera function. | 7.8 | |
2017-06-13 | CVE-2017-8233 | Out-of-bounds Write vulnerability in Google Android In a camera driver function in all Android releases from CAF using the Linux kernel, a bounds check is missing when writing into an array potentially leading to an out-of-bounds heap write. | 7.8 | |
2017-06-13 | CVE-2017-7373 | Double Free vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a double free vulnerability exists in a display driver. | 7.8 | |
2017-06-13 | CVE-2017-7371 | Use After Free vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a data pointer is potentially used after it has been freed when SLIMbus is turned off by Bluetooth. | 7.8 | |
2017-06-13 | CVE-2017-7369 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an array index in an ALSA routine is not properly validating potentially leading to kernel stack corruption. | 7.8 | |
2017-06-13 | CVE-2017-7367 | Integer Underflow (Wrap or Wraparound) vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an integer underflow vulnerability exists while processing the boot image. | 7.8 | |
2017-06-13 | CVE-2017-7365 | Out-of-bounds Read vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overread can occur if a particular string is not NULL terminated. | 7.8 | |
2017-06-13 | CVE-2016-10342 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a syscall handler. | 7.8 | |
2017-06-13 | CVE-2016-10341 | Permissions, Privileges, and Access Controls vulnerability in Google Android In all Android releases from CAF using the Linux kernel, 3rd party TEEs have more privilege than intended. | 7.8 | |
2017-06-13 | CVE-2016-10340 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an integer underflow leading to buffer overflow vulnerability exists in a syscall handler. | 7.8 | |
2017-06-13 | CVE-2016-10338 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, there was an issue related to RPMB processing. | 7.8 | |
2017-06-13 | CVE-2015-9033 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a QTEE system call fails to validate a pointer. | 7.8 | |
2017-06-13 | CVE-2015-9030 | Missing Authentication for Critical Function vulnerability in Google Android In all Android releases from CAF using the Linux kernel, the Hypervisor API could be misused to bypass authentication. | 7.8 | |
2017-06-13 | CVE-2015-9029 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a vulnerability exists in the access control settings of modem memory. | 7.8 | |
2017-06-13 | CVE-2015-9028 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a cryptographic routine. | 7.8 | |
2017-06-13 | CVE-2015-9027 | NULL Pointer Dereference vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an untrusted pointer dereference vulnerability exists in WideVine DRM. | 7.8 | |
2017-06-13 | CVE-2015-9026 | NULL Pointer Dereference vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an untrusted pointer dereference vulnerability exists in WideVine DRM. | 7.8 | |
2017-06-13 | CVE-2015-9025 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a QTEE application. | 7.8 | |
2017-06-13 | CVE-2015-9023 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in the PlayReady API. | 7.8 | |
2017-06-13 | CVE-2015-9020 | NULL Pointer Dereference vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an untrusted pointer dereference vulnerability exists in the unlocking of memory. | 7.8 | |
2017-06-13 | CVE-2014-9967 | NULL Pointer Dereference vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an untrusted pointer dereference vulnerability exists in WideVine DRM. | 7.8 | |
2017-06-13 | CVE-2014-9965 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a vulnerability exists in the parsing of an SCM call. | 7.8 | |
2017-06-13 | CVE-2014-9964 | Integer Overflow or Wraparound vulnerability in Google Android In all Android releases from CAF using the Linux kernel, an integer overflow vulnerability exists in debug functionality. | 7.8 | |
2017-06-13 | CVE-2014-9963 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WideVine DRM. | 7.8 | |
2017-06-13 | CVE-2014-9962 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a vulnerability exists in the parsing of a DRM provisioning command. | 7.8 | |
2017-06-13 | CVE-2014-9961 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a vulnerability in eMMC write protection exists that can be used to bypass power-on write protection. | 7.8 | |
2017-06-13 | CVE-2014-9960 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in the PlayReady API. | 7.8 | |
2017-06-13 | CVE-2015-4596 | Lenovo | Permissions, Privileges, and Access Controls vulnerability in Lenovo Mouse Suite 6.72 Lenovo Mouse Suite before 6.73 allows local users to run arbitrary code with administrator privileges. | 7.8 |
2017-06-13 | CVE-2017-9552 | Synology | Improper Authentication vulnerability in Synology Photo Station A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. | 7.8 |
2017-06-13 | CVE-2017-4966 | Pivotal Software Vmware Debian | Information Exposure vulnerability in multiple products An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. | 7.8 |
2017-06-16 | CVE-2017-9231 | Citrix | XXE vulnerability in Citrix Xenmobile Server XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x and 10.x before 10.5 RP3 allows attackers to obtain sensitive information via unspecified vectors. | 7.5 |
2017-06-16 | CVE-2017-9735 | Eclipse Debian Oracle | Information Exposure Through Discrepancy vulnerability in multiple products Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. | 7.5 |
2017-06-16 | CVE-2017-8452 | Elastic | Uncontrolled File Descriptor Consumption vulnerability in Elastic Kibana Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. | 7.5 |
2017-06-16 | CVE-2017-8450 | Elastic | Information Exposure vulnerability in Elastic X-Pack 5.1.1 X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. | 7.5 |
2017-06-16 | CVE-2016-10363 | Elastic | Improper Resource Shutdown or Release vulnerability in Elastic Logstash Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. | 7.5 |
2017-06-16 | CVE-2016-1000222 | Elastic | Argument Injection or Modification vulnerability in Elastic Logstash Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | 7.5 |
2017-06-16 | CVE-2016-1000221 | Elastic | Information Exposure vulnerability in Elastic Logstash Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. | 7.5 |
2017-06-16 | CVE-2016-1000219 | Elastic | Improper Authorization vulnerability in Elastic Kibana Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. | 7.5 |
2017-06-16 | CVE-2017-7507 | GNU | NULL Pointer Dereference vulnerability in GNU Gnutls GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. | 7.5 |
2017-06-16 | CVE-2017-9731 | Yocto Project | Information Exposure vulnerability in Yocto Project YP Core-Pyro 2.3 In meta/classes/package_ipk.bbclass in Poky in poky-pyro 17.0.0 for Yocto Project through YP Core - Pyro 2.3, attackers can obtain sensitive information by reading a URL in a Source entry in an ipk package. | 7.5 |
2017-06-16 | CVE-2017-9729 | Uclibc | Uncontrolled Recursion vulnerability in Uclibc 0.9.33.2 In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression. | 7.5 |
2017-06-15 | CVE-2017-7629 | Qnap | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Qnap QTS QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function. | 7.5 |
2017-06-15 | CVE-2017-9675 | Dlink | Improper Input Validation vulnerability in Dlink Dir-605L Firmware 2.08B01 On D-Link DIR-605L devices, firmware before 2.08UIBetaB01.bin allows an unauthenticated GET request to trigger a reboot. | 7.5 |
2017-06-15 | CVE-2015-7732 | Avira | Information Exposure vulnerability in Avira Mobile Security 1.5.7 The Avira Mobile Security app before 1.5.11 for iOS sends sensitive login information in cleartext. | 7.5 |
2017-06-15 | CVE-2017-1379 | IBM | Information Exposure vulnerability in IBM API Connect IBM API Connect 5.0.0.0 could allow a remote attacker to obtain sensitive information, caused by improper handling of requests to the Developer Portal. | 7.5 |
2017-06-15 | CVE-2017-8549 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system when Microsoft Edge improperly handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8548 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system when Microsoft Edge improperly handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8547 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 10/11 Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to execute arbitrary code in the context of the current user when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8524 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge and Internet Explorer Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an allow an attacker to execute arbitrary code in the context of the current user when the JavaScript engines fail to render when handling objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8522 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge and Internet Explorer Microsoft browsers in Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an allow an attacker to execute arbitrary code in the context of the current user when the JavaScript engines fail to render when handling objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8521 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user when the Edge JavaScript scripting engine fails to handle objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8520 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user when the Edge JavaScript scripting engine fails to handle objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8519 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 10/11/9 Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to execute arbitrary code in the context of the current user when Internet Explorer improperly accesses objects in memory, aka "Internet Explorer Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8517 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 10/11/9 Microsoft browsers in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an allow an attacker to execute arbitrary code in the context of the current user when the JavaScript engines fail to render when handling objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8499 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitrary code in the context of the current user when the Edge JavaScript scripting engine fails to handle objects in memory, aka "Scripting Engine Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8497 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1607 and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability". | 7.5 |
2017-06-15 | CVE-2017-8496 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1607 and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability". | 7.5 |
2017-06-14 | CVE-2017-7910 | Digital Canal Structural | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Digital Canal Structural Wind Analysis 9.1 A Stack-Based Buffer Overflow issue was discovered in Digital Canal Structural Wind Analysis versions 9.1 and prior. | 7.5 |
2017-06-14 | CVE-2017-4981 | Dell | Improper Certificate Validation vulnerability in Dell Bsafe Cert-C 2.7 EMC RSA BSAFE Cert-C before 2.9.0.5 contains a potential improper certificate processing vulnerability. | 7.5 |
2017-06-13 | CVE-2016-5391 | Libreswan Fedoraproject | NULL Pointer Dereference vulnerability in multiple products libreswan before 3.18 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto daemon restart). | 7.5 |
2017-06-13 | CVE-2016-3704 | Fedoraproject Pulpproject | Credentials Management vulnerability in multiple products Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. | 7.5 |
2017-06-13 | CVE-2015-3220 | Tlslite Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tlslite Project Tlslite The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash). | 7.5 |
2017-06-13 | CVE-2017-9604 | KDE | Missing Encryption of Sensitive Data vulnerability in KDE Kmail and Messagelib KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network. | 7.5 |
2017-06-13 | CVE-2017-6681 | Cisco | Information Exposure vulnerability in Cisco Ultra Services Framework 21.0.0 A vulnerability in the AutoVNF VNFStagingView class of Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to execute a relative path traversal attack, enabling an attacker to read sensitive files on the system. | 7.5 |
2017-06-13 | CVE-2017-6680 | Cisco | Improper Input Validation vulnerability in Cisco Ultra Services Framework 21.0.0 A vulnerability in the AutoVNF logging function of Cisco Ultra Services Framework could allow an unauthenticated, remote attacker to create arbitrary directories on the affected system. | 7.5 |
2017-06-13 | CVE-2017-6674 | Cisco | Improper Input Validation vulnerability in Cisco Firesight System A vulnerability in the feature-license management functionality of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass URL filters that have been configured for an affected device. | 7.5 |
2017-06-13 | CVE-2017-6671 | Cisco | Improper Input Validation vulnerability in Cisco Email Security Appliance Firmware 10.0.1087/9.7.1066 A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device, as demonstrated by the Attachment Filter. | 7.5 |
2017-06-13 | CVE-2017-4994 | Pivotal Software Cloudfoundry | Improper Input Validation vulnerability in multiple products An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v263; UAA release 2.x versions prior to v2.7.4.18, 3.6.x versions prior to v3.6.12, 3.9.x versions prior to v3.9.14, and other versions prior to v4.3.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.16, 24.x versions prior to v24.11, 30.x versions prior to 30.4, and other versions prior to v40. | 7.5 |
2017-06-13 | CVE-2017-4975 | Pivotal | Incorrect Default Permissions vulnerability in Pivotal PCF Tile Generator 5.0.7 An issue was discovered in Pivotal PCF Tile Generator versions prior to 6.0.0. | 7.5 |
2017-06-13 | CVE-2017-4972 | Pivotal Software Cloudfoundry | SQL Injection vulnerability in multiple products An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. | 7.5 |
2017-06-12 | CVE-2017-7667 | Apache | Origin Validation Error vulnerability in Apache Nifi Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the response header telling browsers to only allow framing with the same origin. | 7.5 |
2017-06-12 | CVE-2017-9557 | Echatserver | Insufficiently Protected Credentials vulnerability in Echatserver Easy Chat Server register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to discover passwords by sending the username parameter in conjunction with an empty password parameter, and reading the HTML source code of the response. | 7.5 |
2017-06-12 | CVE-2017-9543 | Echatserver | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Echatserver Easy Chat Server register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allows remote attackers to reset arbitrary passwords via a crafted POST request to registresult.htm. | 7.5 |
2017-06-15 | CVE-2017-9606 | Infotecs | Incorrect Permission Assignment for Critical Resource vulnerability in Infotecs Vipnet Client and Vipnet Coordinator Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local users to gain privileges by placing a Trojan horse ViPNet update file in the update folder. | 7.3 |
2017-06-15 | CVE-2017-8494 | Microsoft | Improper Preservation of Permissions vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow a locally-authenticated attacker to run a specially crafted application on a targeted system when Windows Secure Kernel Mode fails to properly handle objects in memory, aka "Windows Elevation of Privilege Vulnerability". | 7.3 |
2017-06-15 | CVE-2017-8460 | Microsoft | Information Exposure vulnerability in Microsoft products Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows information disclosure when a user opens a specially crafted PDF file, aka "Windows PDF Information Disclosure Vulnerability". | 7.3 |
2017-06-15 | CVE-2017-0298 | Microsoft | Unspecified vulnerability in Microsoft products A DCOM object in Helppane.exe in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016, when configured to run as the interactive user, allows an authenticated attacker to run arbitrary code in another user's session, aka "Windows COM Session Elevation of Privilege Vulnerability." | 7.3 |
2017-06-13 | CVE-2017-4991 | Pivotal Software Cloudfoundry | Improper Privilege Management vulnerability in multiple products An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v260; UAA release 2.x versions prior to v2.7.4.16, 3.6.x versions prior to v3.6.10, 3.9.x versions prior to v3.9.12, and other versions prior to v3.17.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.14, 24.x versions prior to v24.9, 30.x versions prior to 30.2, and other versions prior to v36. | 7.2 |
2017-06-13 | CVE-2016-10339 | Information Exposure vulnerability in Google Android In all Android releases from CAF using the Linux kernel, HLOS can overwite secure memory or read contents of the keystore. | 7.1 | |
2017-06-14 | CVE-2017-0649 | Unspecified vulnerability in Google Android 7.1.2 An elevation of privilege vulnerability in the MediaTek sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | 7.0 | |
2017-06-14 | CVE-2017-0636 | Unspecified vulnerability in Google Android 7.1.2 An elevation of privilege vulnerability in the MediaTek command queue driver could enable a local malicious application to execute arbitrary code within the context of the kernel. | 7.0 | |
2017-06-13 | CVE-2017-7372 | Race Condition vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a race condition exists in a video driver potentially leading to buffer overflow or write to arbitrary pointer location. | 7.0 | |
2017-06-13 | CVE-2017-7370 | Use After Free vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a race condition exists in a video driver potentially leading to a use-after-free condition. | 7.0 | |
2017-06-13 | CVE-2017-7368 | Race Condition vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a race condition potentially exists in the ioctl handler of a sound driver. | 7.0 | |
2017-06-13 | CVE-2015-9022 | Race Condition vulnerability in Google Android In all Android releases from CAF using the Linux kernel, time-of-check Time-of-use (TOCTOU) Race Conditions exist in several TZ APIs. | 7.0 | |
2017-06-13 | CVE-2014-9966 | Race Condition vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists in Secure Display. | 7.0 |
207 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2017-06-16 | CVE-2015-3254 | Apache | Improper Input Validation vulnerability in Apache Thrift The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. | 6.5 |
2017-06-16 | CVE-2016-10364 | Elastic | Permissions, Privileges, and Access Controls vulnerability in Elastic Kibana 5.0.0/5.0.1 With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions. | 6.5 |
2017-06-16 | CVE-2016-10362 | Elasticsearch | Information Exposure vulnerability in Elasticsearch Output Plugin 2.3.3/5.0.0 Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. | 6.5 |
2017-06-15 | CVE-2017-8545 | Microsoft | Improper Input Validation vulnerability in Microsoft Outlook 2016 A spoofing vulnerability exists in when Microsoft Outlook for Mac does not sanitize html properly, aka "Microsoft Outlook for Mac Spoofing Vulnerability". | 6.5 |
2017-06-15 | CVE-2017-8534 | Microsoft | Information Exposure vulnerability in Microsoft Office, Windows 7 and Windows Server 2008 Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, Windows Server 2016, Microsoft Office 2007 SP3, and Microsoft Office 2010 SP2 allows improper disclosure of memory contents, aka "Windows Uniscribe Information Disclosure Vulnerability". | 6.5 |
2017-06-15 | CVE-2017-8533 | Microsoft | Information Exposure vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows improper disclosure of memory contents, aka "Graphics Uniscribe Information Disclosure Vulnerability". | 6.5 |
2017-06-15 | CVE-2017-8532 | Microsoft | Information Exposure vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows improper disclosure of memory contents, aka "Graphics Uniscribe Information Disclosure Vulnerability". | 6.5 |
2017-06-15 | CVE-2017-8531 | Microsoft | Information Exposure vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, Windows Server 2016, Microsoft Office 2007 Service Pack 3, and Microsoft Office 2010 Service Pack 2 allows improper disclosure of memory contents, aka "Graphics Uniscribe Information Disclosure Vulnerability". | 6.5 |
2017-06-15 | CVE-2017-8529 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Edge and Internet Explorer Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows RT 8.1, and Windows Server 2012 and R2 allow an attacker to detect specific files on the user's computer when affected Microsoft scripting engines do not properly handle objects in memory, aka "Microsoft Browser Information Disclosure Vulnerability". | 6.5 |
2017-06-14 | CVE-2017-9463 | Piwigo | SQL Injection vulnerability in Piwigo The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. | 6.5 |
2017-06-14 | CVE-2017-5697 | Intel | Improper Restriction of Rendered UI Layers or Frames vulnerability in Intel Active Management Technology Firmware Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page. | 6.5 |
2017-06-13 | CVE-2017-6697 | Cisco | Information Exposure vulnerability in Cisco Elastic Services Controller 2.2(9.76) A vulnerability in the web interface of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive system credentials that are stored in an affected system. | 6.5 |
2017-06-13 | CVE-2017-6691 | Cisco | Information Exposure vulnerability in Cisco Elastic Services Controller 2.3(2) A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system. | 6.5 |
2017-06-13 | CVE-2017-6673 | Cisco | Information Exposure vulnerability in Cisco Secure Firewall Management Center 6.1.0.2/6.2.0 A vulnerability in Cisco Firepower Management Center could allow an authenticated, remote attacker to obtain user information. | 6.5 |
2017-06-13 | CVE-2017-6655 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition when an FCoE-related process unexpectedly reloads. | 6.5 |
2017-06-13 | CVE-2017-4974 | Pivotal Software Cloudfoundry | SQL Injection vulnerability in multiple products An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v258; UAA release 2.x versions prior to v2.7.4.15, 3.6.x versions prior to v3.6.9, 3.9.x versions prior to v3.9.11, and other versions prior to v3.16.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.13, 24.x versions prior to v24.8, and other versions prior to v30.1. | 6.5 |
2017-06-13 | CVE-2016-8219 | Cloudfoundry | Improper Privilege Management vulnerability in Cloudfoundry Capi-Release and Cf-Release An issue was discovered in Cloud Foundry Foundation cf-release versions prior to 250 and CAPI-release versions prior to 1.12.0. | 6.5 |
2017-06-12 | CVE-2017-9128 | Libquicktime | Out-of-bounds Read vulnerability in Libquicktime 1.2.4 The quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-9127 | Libquicktime | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libquicktime 1.2.4 The quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-9126 | Libquicktime | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libquicktime 1.2.4 The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-9125 | Libquicktime | Out-of-bounds Read vulnerability in Libquicktime 1.2.4 The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-9124 | Libquicktime | NULL Pointer Dereference vulnerability in Libquicktime 1.2.4 The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-9123 | Libquicktime | Out-of-bounds Read vulnerability in Libquicktime 1.2.4 The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-9122 | Libquicktime | Infinite Loop vulnerability in Libquicktime 1.2.4 The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted mp4 file. | 6.5 |
2017-06-12 | CVE-2017-8871 | Gnome Opensuse | Infinite Loop vulnerability in multiple products The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted CSS file. | 6.5 |
2017-06-12 | CVE-2017-8834 | Gnome Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file. | 6.5 |
2017-06-16 | CVE-2017-6899 | Lineageos | NULL Pointer Dereference vulnerability in Lineageos The msm_bus_dbg_update_request_write function in drivers/platform/msm/msm_bus/msm_bus_dbg.c in android_kernel_huawei_msm8916 through 2017-06-16 in LineageOS, and possibly other kernels for MSM devices, allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted /sys/kernel/debug/msm-bus-dbg/client-data/update-request write request. | 6.2 |
2017-06-18 | CVE-2017-9668 | Cmsmadesimple | Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.1.6 In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action. | 6.1 |
2017-06-16 | CVE-2017-8451 | Elastic | Open Redirect vulnerability in Elastic Kibana With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | 6.1 |
2017-06-16 | CVE-2016-10366 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. | 6.1 |
2017-06-16 | CVE-2016-10365 | Elastic | Open Redirect vulnerability in Elastic Kibana Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. | 6.1 |
2017-06-16 | CVE-2016-1000220 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | 6.1 |
2017-06-16 | CVE-2015-9056 | Elastic | Cross-site Scripting vulnerability in Elastic Kibana Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. | 6.1 |
2017-06-15 | CVE-2017-9419 | Webhammer | Cross-site Scripting vulnerability in Webhammer WP Custom Fields Search 0.3.28 Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fields Search plugin 0.3.28 for WordPress allows remote attackers to inject arbitrary JavaScript via the cs-all-0 parameter. | 6.1 |
2017-06-15 | CVE-2017-8551 | Microsoft | Cross-site Scripting vulnerability in Microsoft Project Server 2013 An elevation of privilege vulnerability exists when Microsoft SharePoint software fails to properly sanitize a specially crafted requests, aka "Microsoft SharePoint XSS vulnerability". | 6.1 |
2017-06-14 | CVE-2017-9624 | Epesi | Cross-site Scripting vulnerability in Epesi Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted currency decimal-sign data. | 6.1 |
2017-06-14 | CVE-2017-9623 | Epesi | Cross-site Scripting vulnerability in Epesi Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted country data. | 6.1 |
2017-06-14 | CVE-2017-9622 | Epesi | Cross-site Scripting vulnerability in Epesi Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1.8.2 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted common data. | 6.1 |
2017-06-14 | CVE-2017-9621 | Epesi | Cross-site Scripting vulnerability in Epesi Cross-site scripting (XSS) vulnerability in modules/Base/Lang/Administrator/update_translation.php in EPESI in Telaxus/EPESI 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) original or (2) new parameter. | 6.1 |
2017-06-14 | CVE-2017-9464 | Piwigo | Open Redirect vulnerability in Piwigo An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. | 6.1 |
2017-06-13 | CVE-2017-6675 | Cisco | Cross-site Scripting vulnerability in Cisco Industrial Network Director 1.1(0.176) A vulnerability in the web interface of Cisco Industrial Network Director could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against an affected system. | 6.1 |
2017-06-13 | CVE-2017-6670 | Cisco | Open Redirect vulnerability in Cisco Unified Communications Domain Manager 8.1(7)Er1 A vulnerability in the web-based GUI of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect issue. | 6.1 |
2017-06-13 | CVE-2017-6661 | Cisco | Cross-site Scripting vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device, aka Message Tracking XSS. | 6.1 |
2017-06-13 | CVE-2017-4967 | Pivotal Software Vmware Debian | Cross-site Scripting vulnerability in multiple products An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. | 6.1 |
2017-06-13 | CVE-2017-4965 | Pivotal Software Vmware Debian | Cross-site Scripting vulnerability in multiple products An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions prior to 3.6.9; and these RabbitMQ for PCF versions: all 1.5.x versions, 1.6.x versions prior to 1.6.18, and 1.7.x versions prior to 1.7.15. | 6.1 |
2017-06-12 | CVE-2015-9097 | Mail Project | CRLF Injection vulnerability in Mail Project Mail The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | 6.1 |
2017-06-12 | CVE-2015-9096 | Ruby Lang | CRLF Injection vulnerability in Ruby-Lang Ruby Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | 6.1 |
2017-06-12 | CVE-2017-7665 | Apache | Cross-site Scripting vulnerability in Apache Nifi In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient. | 6.1 |
2017-06-13 | CVE-2017-6666 | Cisco | Unspecified vulnerability in Cisco IOS XR A vulnerability in the forwarding component of Cisco IOS XR Software for Cisco Network Convergence System (NCS) 5500 Series Routers could allow an authenticated, local attacker to cause the router to stop forwarding data traffic across Traffic Engineering (TE) tunnels, resulting in a denial of service (DoS) condition. | 6.0 |
2017-06-16 | CVE-2017-8449 | Elastic | Information Exposure vulnerability in Elastic X-Pack 5.2.0/5.2.1/5.2.2 X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index. | 5.9 |
2017-06-16 | CVE-2017-9601 | Fnbkemp | Improper Certificate Validation vulnerability in Fnbkemp FNB Kemp Mobile Banking 3.0.2 The "FNB Kemp Mobile Banking" by First National Bank of Kemp app 3.0.2 -- aka fnb-kemp-mobile-banking/id571448725 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9600 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Peoples Bank Tulsa 3.0.2 The "Peoples Bank Tulsa" by Peoples Bank - OK app 3.0.2 -- aka peoples-bank-tulsa/id1074279285 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9599 | Fountaintrust | Improper Certificate Validation vulnerability in Fountaintrust Fountain Trust Mobile Banking 3.0.0 The "Fountain Trust Mobile Banking" by FOUNTAIN TRUST COMPANY app before 3.2.0 -- aka fountain-trust-mobile-banking/id891343006 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9598 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Morton Credit Union Mobile Banking 3.0.1 The "Morton Credit Union Mobile Banking" by Morton Credit Union app 3.0.1 -- aka morton-credit-union-mobile-banking/id1119623070 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9597 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Blue Ridge Bank and Trust CO. Mobile Banking 3.0.1 The "Blue Ridge Bank and Trust Co. | 5.9 |
2017-06-16 | CVE-2017-9596 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial CFB Mobile Banking 3.0.1 The "CFB Mobile Banking" by Citizens First Bank Wisconsin app 3.0.1 -- aka cfb-mobile-banking/id1081102805 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9595 | Fsbbigfork | Improper Certificate Validation vulnerability in Fsbbigfork First State Bank of Bigfork Mobile Banking 4.0.3 The "First State Bank of Bigfork Mobile Banking" by First State Bank of Bigfork app 4.0.3 -- aka first-state-bank-of-bigfork-mobile-banking/id1133969876 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9594 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial SVB Mobile 3.0.0 The "SVB Mobile" by Sauk Valley Bank Mobile Banking app 3.0.0 -- aka svb-mobile/id796429885 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9593 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Oculina Mobile Banking 3.0.0 The "Oculina Mobile Banking" by Oculina Bank app 3.0.0 -- aka oculina-mobile-banking/id867025690 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9592 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Your Legacy Federal Credit Union Mobile Banking 3.0.1 The "Your Legacy Federal Credit Union Mobile Banking" by Your Legacy Federal Credit Union app 3.0.1 -- aka your-legacy-federal-credit-union-mobile-banking/id919131389 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9591 | Mypcb | Improper Certificate Validation vulnerability in Mypcb PCB Mobile 3.0.2 The "PCB Mobile" by Phelps County Bank app 3.0.2 -- aka pcb-mobile/id436891295 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9590 | SBW | Improper Certificate Validation vulnerability in SBW State Bank of Waterloo Mobile Banking 3.0.2 The "State Bank of Waterloo Mobile Banking" by State Bank of Waterloo app 3.0.2 -- aka state-bank-of-waterloo-mobile-banking/id555321714 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9589 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Scsb Shelbyville IL Mobile Banking 3.0.0 The "SCSB Shelbyville IL Mobile Banking" by Shelby County State Bank app 3.0.0 -- aka scsb-shelbyville-il-mobile-banking/id938960224 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9588 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Oritani Mobile Banking 3.0.0 The "Oritani Mobile Banking" by Oritani Bank app 3.0.0 -- aka oritani-mobile-banking/id778851066 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9587 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Pcsb Bank Mobile 3.0.4 The "PCSB BANK Mobile" by PCSB Bank app 3.0.4 -- aka pcsb-bank-mobile/id1067472090 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9586 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Fsby Mobile Banking 3.0.0 The "FSBY Mobile Banking" by First State Bank of Yoakum TX app 3.0.0 -- aka fsby-mobile-banking/id899136434 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9585 | CSB Lamar | Improper Certificate Validation vulnerability in Csb-Lamar Community State Bank-Lamar The "Community State Bank - Lamar Mobile Banking" by Community State Bank - Lamar app 3.0.3 -- aka community-state-bank-lamar-mobile-banking/id1083927885 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9584 | Heritagebankozarks | Improper Certificate Validation vulnerability in Heritagebankozarks HBO Mobile Banking 3.0.0 The "HBO Mobile Banking" by Heritage Bank of Ozarks app 3.0.0 -- aka hbo-mobile-banking/id860224933 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9583 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Charlevoix State Bank 3.0.1 The "Charlevoix State Bank" by Charlevoix State Bank app 3.0.1 -- aka charlevoix-state-bank/id1128963717 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9582 | Bradynationalbank | Improper Certificate Validation vulnerability in Bradynationalbank BNB Mobile Banking 3.0.0 The "BNB Mobile Banking" by Brady National Bank app 3.0.0 -- aka bnb-mobile-banking/id674215747 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9581 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Algonquin State Bank Mobile Banking 3.0.0 The "Algonquin State Bank Mobile Banking" by Algonquin State Bank app 3.0.0 -- aka algonquin-state-bank-mobile-banking/id1089657735 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9580 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Pioneer Bank & Trust Mobile Banking 3.0.0 The "Pioneer Bank & Trust Mobile Banking" by PIONEER BANK AND TRUST app 3.0.0 -- aka pioneer-bank-trust-mobile-banking/id603182861 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9579 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Jmcu Mobile Banking 3.0.0 The "JMCU Mobile Banking" by Joplin Metro Credit Union app 3.0.0 -- aka jmcu-mobile-banking/id716065893 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9578 | Rivervalleycommunitybank | Improper Certificate Validation vulnerability in Rivervalleycommunitybank Rvcb Mobile 3.0.0 The "RVCB Mobile" by RVCB Mobile Banking app 3.0.0 -- aka rvcb-mobile/id757928895 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9577 | Fcbl | Improper Certificate Validation vulnerability in Fcbl First Citizens Bank-Mobile 3.0.0 The "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) app 3.0.0 -- aka first-citizens-bank-mobile-banking/id566037101 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9576 | Mononabank | Improper Certificate Validation vulnerability in Mononabank Middleton Community Bank Mobile 3.0.0 The "Middleton Community Bank Mobile Banking" by Middleton Community Bank app 3.0.0 -- aka middleton-community-bank-mobile-banking/id721843238 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9575 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial FVB Mobile Banking 3.1.1 The "FVB Mobile Banking" by First Volunteer Bank of Tennessee app 3.1.1 -- aka fvb-mobile-banking/id551018004 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9574 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial KC Area Credit Union Mobile Banking 3.0.1 The "KC Area Credit Union Mobile Banking" by K C Area Credit Union app 3.0.1 -- aka kc-area-credit-union-mobile-banking/id1097607736 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9573 | Northadamsbank | Improper Certificate Validation vulnerability in Northadamsbank Nasb Mobile Bank 3.0.1 The North Adams State Bank (Ursa) nasb-mobile-banking/id980573797 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9572 | Athensstatebank | Improper Certificate Validation vulnerability in Athensstatebank Athens State Bank Mobile 3.0.0 The athens-state-bank-mobile-banking/id719748589 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9571 | Ccbank | Improper Certificate Validation vulnerability in Ccbank CCB Mobile Banking 3.0.1 The Citizens Community Bank (TN) ccb-mobile-banking/id610030469 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9570 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Mount Vernon Bank & Trust Mobile Banking 3.0.0 The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9569 | Citizensbanktx | Improper Certificate Validation vulnerability in Citizensbanktx Cbtx on the GO 3.0.0 The Citizens Bank (TX) cbtx-on-the-go/id892396102 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9568 | Myfpcu | Improper Certificate Validation vulnerability in Myfpcu Financial Plus Mobile Banking 3.0.3 The financial-plus-mobile-banking/id731070564 app 3.0.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9567 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial AVB Bank Mobile Banking 3.0.0 The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9566 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial FSB Dequeen Mobile Banking 3.0.1 The fsb-dequeen-mobile-banking/id1091025340 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9565 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial First Security Bank Sleepy EYE Mobile 3.0.0 The first-security-bank-sleepy-eye-mobile/id870531890 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9564 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Community Banks Cb2Go 3.1.3 The community-banks-cb2go/id445828071 app 3.1.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9563 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Fccb 3.0.1 The First Citizens Community Bank fccb/id809930960 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9562 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Freedom 1ST Credit Union Mobile Banking 3.0.0 The Freedom First freedom-1st-credit-union-mobile-banking/id1085229458 app 3.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9561 | Lbtc | Improper Certificate Validation vulnerability in Lbtc LEE Bank & Trust 3.0.1 The Lee Bank & Trust lbtc-mobile/id1068984753 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9560 | Cayugalakenationalbank | Improper Certificate Validation vulnerability in Cayugalakenationalbank Cayuga Lake National Bank 4.0.1 The cayuga-lake-national-bank/id1151601539 app 4.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9559 | Meafinancial | Improper Certificate Validation vulnerability in Meafinancial Vision Bank 3.0.1 The MEA Financial vision-bank/id420406345 app 3.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-16 | CVE-2017-9558 | Wawacu | Improper Certificate Validation vulnerability in Wawacu Wawa Employees Credit Union Mobile 4.0.1 The wawa-employees-credit-union-mobile/id1158082793 app 4.0.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 5.9 |
2017-06-14 | CVE-2017-7677 | Apache | Missing Authorization vulnerability in Apache Ranger In environments that use external location for hive tables, Hive Authorizer in Apache Ranger before 0.7.1 should be checking RWX permission for create table. | 5.9 |
2017-06-14 | CVE-2016-8746 | Apache | Untrusted Search Path vulnerability in Apache Ranger Apache Ranger before 0.6.3 policy engine incorrectly matches paths in certain conditions when policy does not contain wildcards and has recursion flag set to true. | 5.9 |
2017-06-13 | CVE-2017-8242 | Race Condition vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a race condition exists in a QTEE driver potentially leading to an arbitrary memory write. | 5.9 | |
2017-06-13 | CVE-2017-6656 | Cisco | Improper Input Validation vulnerability in Cisco IP Phone 8800 Series 11.0(0.1) A vulnerability in Session Initiation Protocol (SIP) call handling of Cisco IP Phone 8800 Series devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the SIP process unexpectedly restarting. | 5.9 |
2017-06-13 | CVE-2017-4971 | Pivotal | Insecure Default Initialization of Resource vulnerability in Pivotal Spring web Flow An issue was discovered in Pivotal Spring Web Flow through 2.4.4. | 5.9 |
2017-06-13 | CVE-2017-4970 | Cloudfoundry | Unspecified vulnerability in Cloudfoundry Cf-Release and Staticfile Buildpack An issue was discovered in Cloud Foundry Foundation cf-release v255 and Staticfile buildpack versions v1.4.0 - v1.4.3. | 5.9 |
2017-06-12 | CVE-2017-1214 | IBM | Information Exposure vulnerability in IBM Inotes IBM iNotes 8.5 and 9.0 could allow a remote attacker to send a malformed email to a victim, that when opened could cause an information disclosure. | 5.7 |
2017-06-12 | CVE-2017-9546 | Bigtreecms | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. | 5.7 |
2017-06-17 | CVE-2017-1000380 | Linux | Information Exposure vulnerability in Linux Kernel sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. | 5.5 |
2017-06-16 | CVE-2017-9503 | Qemu Debian | NULL Pointer Dereference vulnerability in multiple products QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing. | 5.5 |
2017-06-16 | CVE-2017-9375 | Qemu Debian | Infinite Loop vulnerability in multiple products QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. | 5.5 |
2017-06-16 | CVE-2017-9374 | Qemu | Memory Leak vulnerability in Qemu Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device. | 5.5 |
2017-06-16 | CVE-2017-9373 | Qemu Debian | Memory Leak vulnerability in multiple products Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device. | 5.5 |
2017-06-15 | CVE-2017-8544 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to obtain information to further compromise the user's system when Windows Search fails to handle objects in memory, aka "Windows Search Information Disclosure Vulnerability". | 5.5 |
2017-06-15 | CVE-2017-8515 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 1511, 1607, and 1703, and Windows Server 2016 allow an unauthenticated attacker to send a specially crafted kernel mode request to cause a denial of service on the target system, aka "Windows VAD Cloning Denial of Service Vulnerability". | 5.5 |
2017-06-15 | CVE-2017-8508 | Microsoft | Unspecified vulnerability in Microsoft Outlook A security feature bypass vulnerability exists in Microsoft Office software when it improperly handles the parsing of file formats, aka "Microsoft Office Security Feature Bypass Vulnerability". | 5.5 |
2017-06-15 | CVE-2017-8493 | Microsoft | Improper Handling of Case Sensitivity vulnerability in Microsoft products Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an attacker to set variables that are either read-only or require authentication when Windows fails to enforce case sensitivity for certain variable checks, aka "Windows Security Feature Bypass Vulnerability". | 5.5 |
2017-06-15 | CVE-2017-8469 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.5 |
2017-06-15 | CVE-2017-0295 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 1607 and 1703, and Windows Server 2016 allow an authenticated attacker to modify the C:\Users\DEFAULT folder structure, aka "Windows Default Folder Tampering Vulnerability". | 5.5 |
2017-06-14 | CVE-2017-9617 | Wireshark | Uncontrolled Recursion vulnerability in Wireshark 2.2.7 In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector. | 5.5 |
2017-06-14 | CVE-2017-9616 | Wireshark | Uncontrolled Recursion vulnerability in Wireshark 2.2.7 In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the dissect_mp4_box function in epan/dissectors/file-mp4.c. | 5.5 |
2017-06-14 | CVE-2017-0647 | Information Exposure vulnerability in Google Android An information disclosure vulnerability in libziparchive could enable a local malicious application to access data outside of its permission levels. | 5.5 | |
2017-06-14 | CVE-2017-0646 | Information Exposure vulnerability in Google Android An information disclosure vulnerability in Bluetooth component could enable a local malicious application to access data outside of its permission levels. | 5.5 | |
2017-06-14 | CVE-2017-0645 | Information Exposure vulnerability in Google Android An elevation of privilege vulnerability in Bluetooth could enable a local malicious application to access data outside of its permission levels. | 5.5 | |
2017-06-14 | CVE-2017-0644 | Unspecified vulnerability in Google Android A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | 5.5 | |
2017-06-14 | CVE-2017-0643 | Unspecified vulnerability in Google Android A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | 5.5 | |
2017-06-14 | CVE-2017-0642 | Unspecified vulnerability in Google Android A remote denial of service vulnerability in libhevc in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | 5.5 | |
2017-06-14 | CVE-2017-0641 | Improper Initialization vulnerability in Google Android A remote denial of service vulnerability in libvpx in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | 5.5 | |
2017-06-14 | CVE-2017-0640 | Unspecified vulnerability in Google Android A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. | 5.5 | |
2017-06-14 | CVE-2017-0639 | Information Exposure vulnerability in Google Android An information disclosure vulnerability in Bluetooth component could enable a local malicious application to access data outside of its permission levels. | 5.5 | |
2017-06-13 | CVE-2017-8239 | Information Exposure vulnerability in Google Android In all Android releases from CAF using the Linux kernel, userspace-controlled parameters for flash initialization are not sanitized potentially leading to exposure of kernel memory. | 5.5 | |
2017-06-13 | CVE-2017-8235 | Unspecified vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a memory structure in a camera driver is not properly protected. | 5.5 | |
2017-06-13 | CVE-2017-7366 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a KGSL ioctl was not validating all of its parameters. | 5.5 | |
2017-06-13 | CVE-2016-10337 | Improper Input Validation vulnerability in Google Android In all Android releases from CAF using the Linux kernel, some validation of secure applications was not being performed. | 5.5 | |
2017-06-13 | CVE-2016-10336 | 7PK - Security Features vulnerability in Google Android In all Android releases from CAF using the Linux kernel, some regions of memory were not protected during boot. | 5.5 | |
2017-06-13 | CVE-2016-10335 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, libtomcrypt was updated. | 5.5 | |
2017-06-13 | CVE-2016-10334 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a dynamically-protected DDR region could potentially get overwritten. | 5.5 | |
2017-06-13 | CVE-2016-10333 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a sensitive system call was allowed to be called by HLOS. | 5.5 | |
2017-06-13 | CVE-2016-10332 | 7PK - Security Features vulnerability in Google Android In all Android releases from CAF using the Linux kernel, stack protection was not enabled for secure applications. | 5.5 | |
2017-06-13 | CVE-2015-9024 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, some interfaces were improperly exposed to QTEE applications. | 5.5 | |
2017-06-13 | CVE-2015-9021 | Improper Access Control vulnerability in Google Android In all Android releases from CAF using the Linux kernel, access control to SMEM memory was not enabled. | 5.5 | |
2017-06-13 | CVE-2017-9605 | Linux | Information Exposure vulnerability in Linux Kernel The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. | 5.5 |
2017-06-13 | CVE-2016-3696 | Fedoraproject Pulpproject | Information Exposure vulnerability in multiple products The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. | 5.5 |
2017-06-13 | CVE-2017-6696 | Cisco | Information Exposure vulnerability in Cisco Elastic Services Controller 2.3(2) A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected system. | 5.5 |
2017-06-13 | CVE-2017-6695 | Cisco | Information Exposure vulnerability in Cisco Ultra Services Platform 21.0.V0.65839 A vulnerability in the ConfD server in Cisco Ultra Services Platform could allow an authenticated, local attacker to view sensitive information. | 5.5 |
2017-06-13 | CVE-2017-6694 | Cisco | Insufficiently Protected Credentials vulnerability in Cisco Ultra Services Platform 21.0.V0.65839 A vulnerability in the Virtual Network Function Manager's (VNFM) logging function of Cisco Ultra Services Platform could allow an authenticated, local attacker to view sensitive data (cleartext credentials) on an affected system. | 5.5 |
2017-06-13 | CVE-2017-6693 | Cisco | Missing Authorization vulnerability in Cisco Elastic Services Controller 2.2(9.76)/2.3(1) A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system, aka Unauthorized Directory Access. | 5.5 |
2017-06-15 | CVE-2017-9674 | Simplece | Cross-site Scripting vulnerability in Simplece 2.3.0 In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user. | 5.4 |
2017-06-15 | CVE-2017-9613 | SAP | Cross-site Scripting vulnerability in SAP Successfactors B1702P5E.1190658 Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality. | 5.4 |
2017-06-15 | CVE-2017-8550 | Microsoft | Cross-site Scripting vulnerability in Microsoft Office 2016 A remote code execution vulnerability exists in Skype for Business when the software fails to sanitize specially crafted content, aka "Skype for Business Remote Code Execution Vulnerability". | 5.4 |
2017-06-15 | CVE-2017-8530 | Microsoft | Origin Validation Error vulnerability in Microsoft Edge Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge does not properly enforce same-origin policies, aka "Microsoft Edge Security Feature Bypass Vulnerability". | 5.4 |
2017-06-15 | CVE-2017-8514 | Microsoft | Cross-site Scripting vulnerability in Microsoft Sharepoint Enterprise Server 2016 An information disclosure vulnerability exists when Microsoft SharePoint software fails to properly sanitize a specially crafted requests, aka "Microsoft SharePoint Reflective XSS Vulnerability". | 5.4 |
2017-06-13 | CVE-2017-1104 | IBM | Cross-site Scripting vulnerability in IBM Rational Quality Manager IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. | 5.4 |
2017-06-13 | CVE-2017-1102 | IBM | Cross-site Scripting vulnerability in IBM Rational Quality Manager IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. | 5.4 |
2017-06-13 | CVE-2017-1101 | IBM | Cross-site Scripting vulnerability in IBM Rational Quality Manager IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. | 5.4 |
2017-06-13 | CVE-2017-1100 | IBM | Cross-site Scripting vulnerability in IBM Rational Quality Manager IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. | 5.4 |
2017-06-13 | CVE-2016-9973 | IBM | Cross-site Scripting vulnerability in IBM products IBM Jazz Foundation is vulnerable to cross-site scripting. | 5.4 |
2017-06-12 | CVE-2017-1278 | IBM | Cross-site Scripting vulnerability in IBM products IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to HTML injection. | 5.4 |
2017-06-12 | CVE-2017-1276 | IBM | Cross-site Scripting vulnerability in IBM products IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. | 5.4 |
2017-06-12 | CVE-2017-1247 | IBM | Cross-site Scripting vulnerability in IBM products IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. | 5.4 |
2017-06-12 | CVE-2017-9548 | Bigtreecms | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change). | 5.4 |
2017-06-12 | CVE-2017-9547 | Bigtreecms | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change). | 5.4 |
2017-06-15 | CVE-2017-0219 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 Gold, Windows 10 1511, Windows 10 1607, and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This CVE ID is unique from CVE-2017-0173, CVE-2017-0215, CVE-2017-0216, and CVE-2017-0218. | 5.3 |
2017-06-15 | CVE-2017-0218 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 Gold, Windows 10 1511, Windows 10 1607, and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This CVE ID is unique from CVE-2017-0173, CVE-2017-0215, CVE-2017-0216, and CVE-2017-0219. | 5.3 |
2017-06-15 | CVE-2017-0216 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 1511, Windows 10 1607, and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This CVE ID is unique from CVE-2017-0173, CVE-2017-0215, CVE-2017-0218, and CVE-2017-0219. | 5.3 |
2017-06-15 | CVE-2017-0215 | Microsoft | Exposure of Resource to Wrong Sphere vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This CVE ID is unique from CVE-2017-0173, CVE-2017-0216, CVE-2017-0218, and CVE-2017-0219. | 5.3 |
2017-06-15 | CVE-2017-0173 | Microsoft | Unspecified vulnerability in Microsoft Windows 10 and Windows Server 2016 Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to exploit a security feature bypass vulnerability in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session, aka "Device Guard Code Integrity Policy Security Feature Bypass Vulnerability." This CVE ID is unique from CVE-2017-0215, CVE-2017-0216, CVE-2017-0218, and CVE-2017-0219. | 5.3 |
2017-06-14 | CVE-2017-4986 | EMC | Information Exposure vulnerability in EMC Secure Remote Services 3.18 EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could potentially be exploited by malicious users to compromise the affected system. | 5.3 |
2017-06-14 | CVE-2017-9502 | Haxx | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Haxx Curl In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. | 5.3 |
2017-06-15 | CVE-2017-8492 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8491 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8490 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8489 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8488 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8485 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8484 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8483 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8482 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8481 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8480 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8479 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8478 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8477 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8476 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8475 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8474 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-8473 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8472 | Microsoft | Information Exposure vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Server 2012 Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8471 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8470 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allow an authenticated attacker to run a specially crafted application when the Windows kernel improperly initializes objects in memory, aka "Win32k Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-8462 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-0300 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-0299 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-0297 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows an authenticated attacker to obtain information via a specially crafted application. | 5.0 |
2017-06-15 | CVE-2017-0289 | Microsoft | Information Exposure vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows improper disclosure of memory contents, aka "Windows Graphics Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-0288 | Microsoft | Information Exposure vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows improper disclosure of memory contents, aka "Windows Graphics Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-0287 | Microsoft | Information Exposure vulnerability in Microsoft products Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows improper disclosure of memory contents, aka "Graphics Uniscribe Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-0286 | Microsoft | Information Exposure vulnerability in Microsoft Office, Windows 7 and Windows Server 2008 Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows improper disclosure of memory contents, aka "Windows Graphics Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-0285 | Microsoft | Information Exposure vulnerability in Microsoft products Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, Windows Server 2016, Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, and Microsoft Office Word Viewer allows improper disclosure of memory contents, aka "Windows Uniscribe Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-0284 | Microsoft | Information Exposure vulnerability in Microsoft products Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, Windows Server 2016, Microsoft Office 2007 SP3, and Microsoft Office 2010 SP2 allows improper disclosure of memory contents, aka "Windows Uniscribe Information Disclosure Vulnerability". | 5.0 |
2017-06-15 | CVE-2017-0282 | Microsoft | Information Exposure vulnerability in Microsoft products Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, Windows Server 2016, Microsoft Office 2007 SP3, and Microsoft Office 2010 SP2 allows improper disclosure of memory contents, aka "Windows Uniscribe Information Disclosure Vulnerability". | 5.0 |
2017-06-13 | CVE-2017-6690 | Cisco | Improper Input Validation vulnerability in Cisco ASR 5000 Software 21.0.V0.65839/21.3.M0.67005 A vulnerability in the file check operation of Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, remote attacker to overwrite or modify arbitrary files on an affected system. | 4.9 |
2017-06-13 | CVE-2017-6668 | Cisco | SQL Injection vulnerability in Cisco Unified Communications Domain Manager 8.1(7)Er1 Vulnerabilities in the web-based GUI of Cisco Unified Communications Domain Manager (CUCDM) could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries, aka SQL Injection. | 4.9 |
2017-06-14 | CVE-2016-8751 | Apache | Cross-site Scripting vulnerability in Apache Ranger Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site Scripting in when entering custom policy conditions. | 4.8 |
2017-06-15 | CVE-2017-8553 | Microsoft | Information Exposure vulnerability in Microsoft products An information disclosure vulnerability exists in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows Server 2016 when the Windows kernel improperly handles objects in memory, aka "GDI Information Disclosure Vulnerability". | 4.7 |
2017-06-14 | CVE-2017-0651 | Linux | Information Exposure vulnerability in Linux Kernel 3.18 An information disclosure vulnerability in the kernel ION subsystem could enable a local malicious application to access data outside of its permission levels. | 4.7 |
2017-06-14 | CVE-2017-0650 | Linux | Information Exposure vulnerability in Linux Kernel 3.10/3.18 An information disclosure vulnerability in the Synaptics touchscreen driver could enable a local malicious application to access data outside of its permission levels. | 4.7 |
2017-06-15 | CVE-2017-9505 | Atlassian | Incorrect Default Permissions vulnerability in Atlassian Confluence Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. | 4.3 |
2017-06-15 | CVE-2017-8555 | Microsoft | Improper Input Validation vulnerability in Microsoft Edge Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to trick a user into loading a page with malicious content when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents, aka "Microsoft Edge Security Feature Bypass Vulnerability". | 4.3 |
2017-06-15 | CVE-2017-8523 | Microsoft | Origin Validation Error vulnerability in Microsoft Edge Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to trick a user into loading a page with malicious content when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows, aka "Microsoft Edge Security Feature Bypass Vulnerability". | 4.3 |
2017-06-15 | CVE-2017-8504 | Microsoft | Information Exposure vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 allows an attacker to read the URL of a cross-origin request when the Microsoft Edge Fetch API incorrectly handles a filtered response type, aka "Microsoft Edge Information Disclosure Vulnerability". | 4.3 |
2017-06-15 | CVE-2017-8498 | Microsoft | Information Exposure vulnerability in Microsoft Edge Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 allows an attacker to read data not intended to be disclosed when Edge allows JavaScript XML DOM objects to detect installed browser extensions, aka "Microsoft Edge Information Disclosure Vulnerability". | 4.3 |
2017-06-13 | CVE-2017-1099 | IBM | Information Exposure vulnerability in IBM products IBM Jazz Foundation could expose potentially sensitive information to authenticated users through stack trace error conditions. | 4.3 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2017-06-15 | CVE-2017-5244 | Rapid7 | Cross-Site Request Forgery (CSRF) vulnerability in Rapid7 Metasploit Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. | 3.5 |
2017-06-13 | CVE-2015-9032 | Information Exposure vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a DRM key was exposed to QTEE applications. | 3.3 | |
2017-06-13 | CVE-2015-9031 | Information Exposure vulnerability in Google Android In all Android releases from CAF using the Linux kernel, a TZ memory address is exposed to HLOS by HDCP. | 3.3 |