Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-8375 | 1 Bd | 1 Alaris 8015 Pc Unit | 2017-03-16 | 1.9 LOW | 4.9 MEDIUM |
| An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. | |||||
| CVE-2016-9355 | 1 Bd | 1 Alaris 8015 Pc Unit | 2017-03-16 | 2.1 LOW | 5.3 MEDIUM |
| An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience. | |||||
| CVE-2017-6918 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | |||||
| CVE-2017-6916 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | |||||
| CVE-2017-6915 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | |||||
| CVE-2017-6917 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed. | |||||
| CVE-2016-9892 | 1 Eset | 2 Endpoint Antivirus, Endpoint Security | 2017-03-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root. | |||||
| CVE-2016-8362 | 1 Moxa | 28 Awk-1121, Awk-1121 Firmware, Awk-1127 and 25 more | 2017-03-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. Any user is able to download log files by accessing a specific URL. | |||||
| CVE-2016-8011 | 1 Intel Security Mcafee | 1 Endpoint Security Web Control | 2017-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Intel Security McAfee Endpoint Security (ENS) Web Control before 10.2.0.408.10 allows attackers to inject arbitrary web script or HTML via a crafted web site. | |||||
| CVE-2016-10104 | 1 Hiteksoftware | 1 Automize | 2017-03-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| Information Disclosure can occur in sshProfiles.jsd in Hitek Software's Automize because of the Read attribute being set for Users. This allows an attacker to recover encrypted passwords for SSH/SFTP profiles. Verified in all 10.x versions up to and including 10.25, and all 11.x versions up to and including 11.14. | |||||
| CVE-2016-10148 | 1 Wordpress | 1 Wordpress | 2017-03-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. | |||||
| CVE-2016-10135 | 1 Lg | 1 Lg Mobile | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| An issue was discovered on LG devices using the MTK chipset with L(5.0/5.1), M(6.0/6.0.1), and N(7.0) software, and RCA Voyager Tablet, BLU Advance 5.0, and BLU R1 HD devices. The MTKLogger app with a package name of com.mediatek.mtklogger has application components that are accessible to any application that resides on the device. Namely, the com.mediatek.mtklogger.framework.LogReceiver and com.mediatek.mtklogger.framework.MTKLoggerService application components are exported since they contain an intent filter, are not protected by a custom permission, and do not explicitly set the android:exported attribute to false. Therefore, these components are exported by default and are thus accessible to any third party application by using android.content.Intent object for communication. These application components can be used to start and stop the logs using Intent objects with embedded data. The available logs are the GPS log, modem log, network log, and mobile log. The base directory that contains the directories for the 4 types of logs is /sdcard/mtklog which makes them accessible to apps that require the READ_EXTERNAL_STORAGE permission. The GPS log contains the GPS coordinates of the user as well as a timestamp for the coordinates. The modem log contains AT commands and their parameters which allow the user's outgoing and incoming calls and text messages to be obtained. The network log is a tcpdump network capture. The mobile log contains the Android log, which is not available to third-party apps as of Android 4.1. The LG ID is LVE-SMP-160019. | |||||
| CVE-2017-6877 | 1 Lutim Project | 1 Lutim | 2017-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in SVG file handling in Lutim 0.7.1 and earlier allows remote attackers to inject arbitrary web script. | |||||
| CVE-2016-8232 | 1 Ibm | 3 Advanced Management Module, Advanced Management Module Firmware, Bladecenter | 2017-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| Document Object Model-(DOM) based cross-site scripting vulnerability in the Advanced Management Module (AMM) versions earlier than 66Z of Lenovo IBM BladeCenter HS22, HS22V, HS23, HS23E, HX5 allows an unauthenticated attacker with access to the AMM's IP address to send a crafted URL that could inject a malicious script to access a user's AMM data such as cookies or other session information. | |||||
| CVE-2017-6807 | 1 Uninett | 1 Mod Auth Mellon | 2017-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Transfer attack, where a user with access to one web site running on a server can copy their session cookie to a different web site on the same server to get access to that site. | |||||
| CVE-2017-5933 | 1 Citrix | 1 Netscaler Application Delivery Controller Firmware | 2017-03-14 | 4.3 MEDIUM | 5.9 MEDIUM |
| Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build 51.21 randomly generates GCM nonces, which makes it marginally easier for remote attackers to obtain the GCM authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE-2016-0270. | |||||
| CVE-2014-3926 | 1 Lg Project | 1 Lg | 2017-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in lg.cgi in Cougar LG 1.9 allows remote attackers to inject arbitrary web script or HTML via the "addr" parameter. | |||||
| CVE-2015-4049 | 1 Unisys | 1 Mcp-firmware | 2017-03-14 | 5.6 MEDIUM | 6.8 MEDIUM |
| Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with MCP-FIRMWARE 40.0 before 40.0IC4 Build 270 might allow remote authenticated users to cause a denial of service (data corruption or system crash) via vectors related to using program operators during EPSILON (level 5) based codefiles at peak memory usage, which triggers CPM stack corruption. | |||||
| CVE-2016-10172 | 1 Wavpack Project | 1 Wavpack | 2017-03-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The read_new_config_info function in open_utils.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. | |||||
| CVE-2016-10171 | 1 Wavpack Project | 1 Wavpack | 2017-03-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The unreorder_channels function in cli/wvunpack.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. | |||||
| CVE-2016-10170 | 1 Wavpack Project | 1 Wavpack | 2017-03-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| The WriteCaffHeader function in cli/caff.c in Wavpack before 5.1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WV file. | |||||
| CVE-2016-8353 | 1 Osisoft | 1 Pi Web Api 2015 R2 | 2017-03-14 | 5.5 MEDIUM | 6.4 MEDIUM |
| An issue was discovered in OSIsoft PI Web API 2015 R2 (Version 1.5.1). There is a weakness in this product that may allow an attacker to access the PI system without the proper permissions. | |||||
| CVE-2016-9337 | 1 Tesla | 1 Gateway Ecu | 2017-03-14 | 4.0 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle's Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the attacker to send messages to the vehicle's CAN bus, a Command Injection. | |||||
| CVE-2016-5813 | 1 Visonic | 2 Powerlink2, Powerlink2 Firmware | 2017-03-14 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release. When a specific URL to an image is accessed, the downloaded image carries with it source code used in the web server (INFORMATION EXPOSURE). | |||||
| CVE-2015-4409 | 1 Hikvision | 9 Ds-7604ni-e1\/4p, Ds-7608ni-12\/8p, Ds-7608ni-e1\/8p and 6 more | 2017-03-14 | 6.8 MEDIUM | 6.5 MEDIUM |
| Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devices before 3.4.0 allows remote authenticated users to cause a denial of service (service interruption) via a crafted HTTP request, aka the SDK issue. | |||||
| CVE-2015-4408 | 1 Hikvision | 9 Ds-7604ni-e1\/4p, Ds-7608ni-12\/8p, Ds-7608ni-e1\/8p and 6 more | 2017-03-14 | 6.8 MEDIUM | 6.5 MEDIUM |
| Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devices before 3.4.0 allows remote authenticated users to cause a denial of service (service interruption) via a crafted HTTP request, aka the ISAPI issue. | |||||
| CVE-2015-4407 | 1 Hikvision | 9 Ds-7604ni-e1\/4p, Ds-7608ni-12\/8p, Ds-7608ni-e1\/8p and 6 more | 2017-03-14 | 6.8 MEDIUM | 6.5 MEDIUM |
| Buffer overflow on Hikvision NVR DS-76xxNI-E1/2 and DS-77xxxNI-E4 devices before 3.4.0 allows remote authenticated users to cause a denial of service (service interruption) via a crafted HTTP request, aka the PSIA issue. | |||||
| CVE-2017-6544 | 1 Wuhu Project | 1 Wuhu | 2017-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Gargaj/wuhu through 2017-03-08 is vulnerable to a reflected XSS in wuhu-master/www_admin/users.php (id parameter). | |||||
| CVE-2016-9006 | 1 Ibm | 1 Urbancode Deploy | 2017-03-14 | 3.5 LOW | 5.4 MEDIUM |
| IBM UrbanCode Deploy 6.1 and 6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: C1000264. | |||||
| CVE-2017-6503 | 1 Qbittorrent | 1 Qbittorrent | 2017-03-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| WebUI in qBittorrent before 3.3.11 did not escape many values, which could potentially lead to XSS. | |||||
| CVE-2016-9347 | 1 Emerson | 4 Se4801t0x Redundant Wireless I\/o Card, Se4801t0x Redundant Wireless I\/o Card Firmware, Se4801t1x Simplex Wireless I\/o Card and 1 more | 2017-03-13 | 5.4 MEDIUM | 5.0 MEDIUM |
| An issue was discovered in Emerson SE4801T0X Redundant Wireless I/O Card V13.3, and SE4801T1X Simplex Wireless I/O Card V13.3. DeltaV Wireless I/O Cards (WIOC) running the firmware available in the DeltaV system, release v13.3, have the SSH (Secure Shell) functionality enabled unnecessarily. | |||||
| CVE-2017-6596 | 1 Partclone Project | 1 Partclone | 2017-03-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| partclone.chkimg in partclone 0.2.89 is prone to a heap-based buffer overflow vulnerability due to insufficient validation of the partclone image header. An attacker may be able to launch a 'Denial of Service attack' in the context of the user running the affected application. | |||||
| CVE-2017-6589 | 1 Epiceditor Project | 1 Epiceditor | 2017-03-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| EpicEditor through 0.2.3 has Cross-Site Scripting because of an insecure default marked.js configuration. An example attack vector is a crafted IMG element in an HTML document. | |||||
| CVE-2017-5880 | 1 Splunk | 1 Splunk | 2017-03-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Splunk Web in Splunk Enterprise versions 6.5.x before 6.5.2, 6.4.x before 6.4.5, 6.3.x before 6.3.9, 6.2.x before 6.2.13, 6.1.x before 6.1.12, 6.0.x before 6.0.13, 5.0.x before 5.0.17 and Splunk Light versions before 6.5.2 allows remote authenticated users to cause a denial of service (daemon crash) via a crafted GET request, aka SPL-130279. | |||||
| CVE-2016-9720 | 1 Ibm | 2 Qradar Incident Forensics, Qradar Security Information And Event Manager | 2017-03-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM QRadar 7.2 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM Reference #: 1999533. | |||||
| CVE-2017-6511 | 1 Finecms Project | 1 Finecms | 2017-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in index.php because of missing validation of the action parameter in application/classes/application.php. | |||||
| CVE-2016-9730 | 1 Ibm | 2 Qradar Incident Forensics, Qradar Security Information And Event Manager | 2017-03-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1999549. | |||||
| CVE-2017-5632 | 1 Asus | 2 Rt-n56u, Rt-n56u Firmware | 2017-03-09 | 3.3 LOW | 6.5 MEDIUM |
| An issue was discovered on the ASUS RT-N56U Wireless Router with Firmware 3.0.0.4.374_979. When executing an "nmap -O" command that specifies an IP address of an affected device, one can crash the device's WAN connection, causing disconnection from the Internet, a Denial of Service (DoS). The attack is only possible from within the local area network. | |||||
| CVE-2016-5933 | 1 Ibm | 1 Tivoli Monitoring | 2017-03-09 | 4.9 MEDIUM | 4.6 MEDIUM |
| IBM Tivoli Monitoring 6.2 and 6.3 is vulnerable to possible host header injection attack that could lead to HTTP cache poisoning or firewall bypass. IBM Reference #: 1997223. | |||||
| CVE-2016-8971 | 1 Ibm | 1 Websphere Mq | 2017-03-09 | 6.8 MEDIUM | 6.5 MEDIUM |
| IBM WebSphere MQ 8.0 could allow an authenticated user with queue manager permissions to cause a segmentation fault which would result in the box having to be rebooted to resume normal operations. IBM Reference #: 1998663. | |||||
| CVE-2016-9729 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2017-03-09 | 6.4 MEDIUM | 6.5 MEDIUM |
| IBM QRadar 7.2 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM Reference #: 1999545. | |||||
| CVE-2016-6247 | 1 Openbsd | 1 Openbsd | 2017-03-09 | 4.9 MEDIUM | 5.5 MEDIUM |
| OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of service (kernel panic) by unmounting a filesystem with an open vnode on the mnt_vnodelist. | |||||
| CVE-2016-6246 | 1 Openbsd | 1 Openbsd | 2017-03-09 | 4.9 MEDIUM | 4.4 MEDIUM |
| OpenBSD 5.8 and 5.9 allows certain local users with kern.usermount privileges to cause a denial of service (kernel panic) by mounting a tmpfs with a VNOVAL in the (1) username, (2) groupname, or (3) device name of the root node. | |||||
| CVE-2016-6350 | 1 Openbsd | 1 Openbsd | 2017-03-09 | 4.9 MEDIUM | 5.5 MEDIUM |
| OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (NULL pointer dereference and panic) via a sysctl call with a path starting with 10,9. | |||||
| CVE-2016-6245 | 1 Openbsd | 1 Openbsd | 2017-03-09 | 4.9 MEDIUM | 5.5 MEDIUM |
| OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a large size in a getdents system call. | |||||
| CVE-2016-4948 | 1 Cloudera | 1 Manager | 2017-03-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Cloudera Manager 5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Template Name field when renaming a template; (2) KDC Server host, (3) Kerberos Security Realm, (4) Kerberos Encryption Types, (5) Advanced Configuration Snippet (Safety Valve) for [libdefaults] section of krb5.conf, (6) Advanced Configuration Snippet (Safety Valve) for the Default Realm in krb5.conf, (7) Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf, or (8) Active Directory Account Prefix fields in the Kerberos wizard; or (9) classicWizard parameter to cmf/cloudera-director/redirect. | |||||
| CVE-2016-6242 | 1 Openbsd | 1 Openbsd | 2017-03-09 | 4.9 MEDIUM | 5.5 MEDIUM |
| OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (assertion failure and kernel panic) via a large ident value in a kevent system call. | |||||
| CVE-2016-6243 | 1 Openbsd | 1 Openbsd | 2017-03-09 | 4.9 MEDIUM | 5.5 MEDIUM |
| thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a crafted value in the tsp parameter of the __thrsleep system call. | |||||
| CVE-2016-9725 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2017-03-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM QRadar Incident Forensics 7.2 allows for Cross-Origin Resource Sharing (CORS), which is a mechanism that allows web sites to request resources from external sites, avoiding the need to duplicate them. IBM Reference #: 1999539. | |||||
| CVE-2016-4947 | 1 Cloudera | 1 Hue | 2017-03-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete. | |||||