Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-15160 1 Libesedb Project 1 Libesedb 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
** DISPUTED ** The libesedb_catalog_definition_read function in libesedb_catalog_definition.c in libesedb through 2018-04-01 allows remote attackers to cause a heap-based buffer over-read via a crafted esedb file. NOTE: the vendor has disputed this as described in the GitHub issue comments.
CVE-2017-15426 3 Debian, Google, Redhat 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
CVE-2017-15425 3 Debian, Google, Redhat 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
CVE-2017-15424 3 Debian, Google, Redhat 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to perform domain spoofing via IDN homographs in a crafted domain name.
CVE-2017-0175 1 Microsoft 2 Windows 7, Windows Server 2008 2018-10-30 2.1 LOW 4.7 MEDIUM
The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allows authenticated attackers to obtain sensitive information via a specially crafted document, aka "Windows Kernel Information Disclosure Vulnerability," a different vulnerability than CVE-2017-0220, CVE-2017-0258, and CVE-2017-0259.
CVE-2018-10227 1 1234n 1 Minicms 2018-10-30 3.5 LOW 5.4 MEDIUM
MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parameter.
CVE-2018-15899 1 1234n 1 Minicms 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in MiniCMS 1.10. There is a post.php?date= XSS vulnerability.
CVE-2018-10296 1 1234n 1 Minicms 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter.
CVE-2015-6485 1 Schneider-electric 8 Sage 1410, Sage 1430, Sage 1450 and 5 more 2018-10-30 5.0 MEDIUM 5.3 MEDIUM
Schneider Electric Telvent Sage 2300 RTUs with firmware before C3413-500-S01, and LANDAC II-2, Sage 1410, Sage 1430, Sage 1450, Sage 2400, and Sage 3030M RTUs with firmware before C3414-500-S02J2, allow remote attackers to obtain sensitive information from device memory by reading a padding field of an Ethernet packet.
CVE-2018-1000638 1 1234n 1 Minicms 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in http://example.org/mc-admin/page.php?date={payload} that can result in code injection.
CVE-2018-16233 1 1234n 1 Minicms 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php tags parameter.
CVE-2018-8239 1 Microsoft 3 Windows 10, Windows Server 1803, Windows Server 2016 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
CVE-2015-5231 2 Criu, Opensuse 2 Checkpoint\/restore In Userspace, Opensuse 2018-10-30 2.1 LOW 5.5 MEDIUM
The service daemon in CRIU does not properly restrict access to non-dumpable processes, which allows local users to obtain sensitive information via (1) process dumps or (2) ptrace access.
CVE-2016-1955 3 Mozilla, Novell, Opensuse 4 Firefox, Suse Package Hub For Suse Linux Enterprise, Leap and 1 more 2018-10-30 4.3 MEDIUM 4.3 MEDIUM
Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element.
CVE-2016-6153 3 Fedoraproject, Opensuse, Sqlite 3 Fedora, Leap, Sqlite 2018-10-30 4.6 MEDIUM 5.9 MEDIUM
os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.
CVE-2015-8704 1 Isc 1 Bind 2018-10-30 6.8 MEDIUM 6.5 MEDIUM
apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record.
CVE-2016-1938 2 Mozilla, Opensuse 4 Firefox, Nss, Leap and 1 more 2018-10-30 6.4 MEDIUM 6.5 MEDIUM
The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.
CVE-2016-1898 3 Canonical, Ffmpeg, Opensuse 3 Ubuntu Linux, Ffmpeg, Leap 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.
CVE-2016-1897 3 Canonical, Ffmpeg, Opensuse 3 Ubuntu Linux, Ffmpeg, Leap 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
CVE-2015-5382 1 Roundcube 2 Roundcube Webmail, Webmail 2018-10-30 4.0 MEDIUM 6.5 MEDIUM
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
CVE-2015-5381 1 Roundcube 2 Roundcube Webmail, Webmail 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
CVE-2016-4036 1 Opensuse 2 Leap, Opensuse 2018-10-30 2.1 LOW 5.5 MEDIUM
The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory.
CVE-2016-1694 5 Debian, Google, Opensuse and 2 more 8 Debian Linux, Chrome, Leap and 5 more 2018-10-30 4.3 MEDIUM 5.3 MEDIUM
browser/browsing_data/browsing_data_remover.cc in Google Chrome before 51.0.2704.63 deletes HPKP pins during cache clearing, which makes it easier for remote attackers to spoof web sites via a valid certificate from an arbitrary recognized Certification Authority.
CVE-2016-1693 5 Debian, Google, Opensuse and 2 more 8 Debian Linux, Chrome, Leap and 5 more 2018-10-30 2.6 LOW 5.3 MEDIUM
browser/safe_browsing/srt_field_trial_win.cc in Google Chrome before 51.0.2704.63 does not use the HTTPS service on dl.google.com to obtain the Software Removal Tool, which allows remote attackers to spoof the chrome_cleanup_tool.exe (aka CCT) file via a man-in-the-middle attack on an HTTP session.
CVE-2016-1692 6 Canonical, Debian, Google and 3 more 9 Ubuntu Linux, Debian Linux, Chrome and 6 more 2018-10-30 4.3 MEDIUM 5.3 MEDIUM
WebKit/Source/core/css/StyleSheetContents.cpp in Blink, as used in Google Chrome before 51.0.2704.63, permits cross-origin loading of CSS stylesheets by a ServiceWorker even when the stylesheet download has an incorrect MIME type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
CVE-2016-7787 2 Kde, Opensuse 3 Kde-cli-tools, Leap, Opensuse 2018-10-30 4.0 MEDIUM 4.9 MEDIUM
A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.
CVE-2014-8127 2 Libtiff, Opensuse 2 Libtiff, Opensuse 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool.
CVE-2016-1689 6 Canonical, Debian, Google and 3 more 9 Ubuntu Linux, Debian Linux, Chrome and 6 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
Heap-based buffer overflow in content/renderer/media/canvas_capture_handler.cc in Google Chrome before 51.0.2704.63 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site.
CVE-2016-9830 3 Debian, Graphicsmagick, Opensuse 4 Debian Linux, Graphicsmagick, Leap and 1 more 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in a jpeg image.
CVE-2016-1688 6 Canonical, Debian, Google and 3 more 10 Ubuntu Linux, Debian Linux, Chrome and 7 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
The regexp (aka regular expression) implementation in Google V8 before 5.0.71.40, as used in Google Chrome before 51.0.2704.63, mishandles external string sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted JavaScript code.
CVE-2015-7976 4 Novell, Ntp, Opensuse and 1 more 10 Suse Openstack Cloud, Ntp, Leap and 7 more 2018-10-30 4.0 MEDIUM 4.3 MEDIUM
The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename.
CVE-2016-1687 5 Debian, Google, Opensuse and 2 more 8 Debian Linux, Chrome, Leap and 5 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
The renderer implementation in Google Chrome before 51.0.2704.63 does not properly restrict public exposure of classes, which allows remote attackers to obtain sensitive information via vectors related to extensions.
CVE-2016-1670 3 Debian, Google, Opensuse 3 Debian Linux, Chrome, Opensuse 2018-10-30 2.6 LOW 5.3 MEDIUM
Race condition in the ResourceDispatcherHostImpl::BeginRequest function in content/browser/loader/resource_dispatcher_host_impl.cc in Google Chrome before 50.0.2661.102 allows remote attackers to make arbitrary HTTP requests by leveraging access to a renderer process and reusing a request ID.
CVE-2016-7651 1 Apple 2 Iphone Os, Watchos 2018-10-30 4.6 MEDIUM 5.3 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. watchOS before 3.1.1 is affected. The issue involves the "Accounts" component, which allows local users to bypass intended authorization restrictions by leveraging the mishandling of an app uninstall.
CVE-2016-7607 1 Apple 3 Iphone Os, Mac Os X, Watchos 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component, which allows attackers to obtain sensitive information from kernel memory via a crafted app.
CVE-2014-9845 5 Canonical, Imagemagick, Opensuse and 2 more 11 Ubuntu Linux, Imagemagick, Leap and 8 more 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
The ReadDIBImage function in coders/dib.c in ImageMagick allows remote attackers to cause a denial of service (crash) via a corrupted dib file.
CVE-2014-9844 5 Canonical, Imagemagick, Opensuse and 2 more 10 Ubuntu Linux, Imagemagick, Opensuse and 7 more 2018-10-30 4.3 MEDIUM 5.5 MEDIUM
The ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image file.
CVE-2016-5098 2 Opensuse, Phpmyadmin 2 Opensuse, Phpmyadmin 2018-10-30 5.0 MEDIUM 5.3 MEDIUM
Directory traversal vulnerability in libraries/error_report.lib.php in phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the existence of arbitrary files by triggering an error.
CVE-2016-5097 2 Opensuse, Phpmyadmin 2 Opensuse, Phpmyadmin 2018-10-30 5.0 MEDIUM 5.3 MEDIUM
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
CVE-2016-1665 3 Google, Opensuse, Redhat 6 Chrome, Opensuse, Enterprise Linux Desktop Supplementary and 3 more 2018-10-30 4.3 MEDIUM 6.5 MEDIUM
The JSGenericLowering class in compiler/js-generic-lowering.cc in Google V8, as used in Google Chrome before 50.0.2661.94, mishandles comparison operators, which allows remote attackers to obtain sensitive information via crafted JavaScript code.
CVE-2016-1652 4 Debian, Google, Opensuse and 1 more 4 Debian Linux, Chrome, Leap and 1 more 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the Extensions subsystem in Google Chrome before 50.0.2661.75 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)."
CVE-2016-2107 5 Google, Hp, Openssl and 2 more 12 Android, Helion Openstack, Openssl and 9 more 2018-10-30 2.6 LOW 5.9 MEDIUM
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVE-2015-7575 3 Canonical, Mozilla, Opensuse 6 Ubuntu Linux, Firefox, Firefox Esr and 3 more 2018-10-30 4.3 MEDIUM 5.9 MEDIUM
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVE-2016-2832 3 Canonical, Mozilla, Opensuse 4 Ubuntu Linux, Firefox, Leap and 1 more 2018-10-30 4.3 MEDIUM 4.3 MEDIUM
Mozilla Firefox before 47.0 allows remote attackers to discover the list of disabled plugins via a fingerprinting attack involving Cascading Style Sheets (CSS) pseudo-classes.
CVE-2016-7591 1 Apple 3 Iphone Os, Mac Os X, Watchos 2018-10-30 9.3 HIGH 6.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOHIDFamily" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app.
CVE-2016-4068 2 Opensuse, Roundcube 4 Leap, Opensuse, Roundcube Webmail and 1 more 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
CVE-2016-4008 4 Canonical, Fedoraproject, Gnu and 1 more 4 Ubuntu Linux, Fedora, Libtasn1 and 1 more 2018-10-30 4.3 MEDIUM 5.9 MEDIUM
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
CVE-2015-8864 2 Opensuse, Roundcube 4 Leap, Opensuse, Roundcube Webmail and 1 more 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
CVE-2016-5701 2 Opensuse, Phpmyadmin 3 Leap, Opensuse, Phpmyadmin 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
CVE-2016-4848 1 Clip-bucket 1 Clipbucket 2018-10-30 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in ClipBucket before 2.8.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.