Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-1000259 | 2017-04-14 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10326. Reason: This candidate is a reservation duplicate of CVE-2016-10326. Notes: All CVE users should reference CVE-2016-10326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2014-2960 | 1 Visioncritical | 1 Vision Critical | 2017-04-14 | 5.0 MEDIUM | 7.5 HIGH |
| Vision Critical before 2014-05-30 allows attackers to read arbitrary files via unspecified vectors, as demonstrated by image files and configuration files. | |||||
| CVE-2016-5077 | 1 Netikus | 1 Eventsentry | 2017-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Netikus EventSentry before 3.2.1.44 has XSS via SNMP. | |||||
| CVE-2015-6021 | 1 Spiceworks | 1 Desktop | 2017-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response. | |||||
| CVE-2015-2880 | 1 Trendnet | 1 Tv-ip743sic | 2017-04-14 | 9.0 HIGH | 8.8 HIGH |
| TRENDnet WiFi Baby Cam TV-IP743SIC has a password of admin for the backdoor root account. | |||||
| CVE-2015-2882 | 1 Philips | 1 In.sight B120\\37 | 2017-04-14 | 10.0 HIGH | 9.8 CRITICAL |
| Philips In.Sight B120/37 has a password of b120root for the backdoor root account, a password of /ADMIN/ for the backdoor admin account, a password of merlin for the backdoor mg3500 account, a password of M100-4674448 for the backdoor user account, and a password of M100-4674448 for the backdoor admin account. | |||||
| CVE-2015-2883 | 1 Philips | 1 In.sight B120\\37 | 2017-04-14 | 3.5 LOW | 5.4 MEDIUM |
| Philips In.Sight B120/37 has XSS, related to the Weaved cloud web service, as demonstrated by the name parameter to deviceSettings.php or shareDevice.php. | |||||
| CVE-2016-1517 | 1 Opencv | 1 Opencv | 2017-04-14 | 4.3 MEDIUM | 5.5 MEDIUM |
| OpenCV 3.0.0 allows remote attackers to cause a denial of service (segfault) via vectors involving corrupt chunks. | |||||
| CVE-2017-3889 | 1 Cisco | 1 Registered Envelope Service | 2017-04-14 | 5.8 MEDIUM | 6.1 MEDIUM |
| A vulnerability in the web interface of the Cisco Registered Envelope Service could allow an unauthenticated, remote attacker to redirect a user to a undesired web page, aka an Open Redirect. This vulnerability affects the Cisco Registered Envelope cloud-based service. More Information: CSCvc60123. Known Affected Releases: 5.1.0-015. | |||||
| CVE-2015-7270 | 1 Dell | 4 Integrated Remote Access Controller 6, Integrated Remote Access Controller 7, Integrated Remote Access Controller 8 and 1 more | 2017-04-14 | 4.6 MEDIUM | 7.8 HIGH |
| Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows directory traversal. | |||||
| CVE-2015-7274 | 1 Dell | 2 Integrated Remote Access Controller 6, Integrated Remote Access Controller Firmware | 2017-04-14 | 6.5 MEDIUM | 8.8 HIGH |
| Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows remote attackers to execute arbitrary administrative HTTP commands. | |||||
| CVE-2015-7271 | 1 Dell | 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware | 2017-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo. | |||||
| CVE-2015-7275 | 1 Dell | 4 Integrated Remote Access Controller 6, Integrated Remote Access Controller 7, Integrated Remote Access Controller 8 and 1 more | 2017-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Dell Integrated Remote Access Controller (iDRAC) 6 before 2.85 and 7/8 before 2.30.30.30 has XSS. | |||||
| CVE-2015-7272 | 1 Dell | 4 Integrated Remote Access Controller 6, Integrated Remote Access Controller 7, Integrated Remote Access Controller 8 and 1 more | 2017-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input. | |||||
| CVE-2015-7273 | 1 Dell | 3 Integrated Remote Access Controller 7, Integrated Remote Access Controller 8, Integrated Remote Access Controller Firmware | 2017-04-14 | 7.5 HIGH | 9.8 CRITICAL |
| Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE. | |||||
| CVE-2016-5076 | 1 Cloudviewnms | 1 Cloudview Nms | 2017-04-14 | 5.0 MEDIUM | 7.5 HIGH |
| CloudView NMS before 2.10a allows remote attackers to obtain sensitive information via a direct request for admin/auto.def. | |||||
| CVE-2016-5075 | 1 Cloudviewnms | 1 Cloudview Nms | 2017-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| CloudView NMS before 2.10a has XSS via a TELNET login. | |||||
| CVE-2016-5073 | 1 Cloudviewnms | 1 Cloudview Nms | 2017-04-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| CloudView NMS before 2.10a has XSS via SNMP. | |||||
| CVE-2017-6435 | 1 Libplist Project | 1 Libplist | 2017-04-14 | 1.9 LOW | 5.0 MEDIUM |
| The parse_string_node function in bplist.c in libimobiledevice libplist 1.12 allows local users to cause a denial of service (memory corruption) via a crafted plist file. | |||||
| CVE-2017-7286 | 2017-04-14 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2015-8258 | 1 Axis | 1 Axis Communications Firmware | 2017-04-13 | 7.8 HIGH | 7.5 HIGH |
| AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability." | |||||
| CVE-2015-8275 | 1 Eparaksts | 2 Edoc-libraries, Eparakstitajs 3 | 2017-04-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| LVRTC eParakstitajs 3.0 (1.3.0) and edoc-libraries-2.5.4_01 allow attackers to write to arbitrary files via crafted EDOC files. | |||||
| CVE-2015-8276 | 1 Eparaksts | 2 Edoc-libraries, Eparakstitajs 3 | 2017-04-13 | 4.3 MEDIUM | 5.5 MEDIUM |
| LVRTC eParakstitajs 3.0 (1.3.0) and edoc-libraries-2.5.4_01 allow attackers to read arbitrary files via crafted EDOC files. | |||||
| CVE-2007-6760 | 1 Dataprobe | 2 Ibootbar, Ibootbar Firmware | 2017-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie. | |||||
| CVE-2015-2885 | 1 Lens Laboratories | 2 Peek-a-view, Peek-a-view Firmware | 2017-04-13 | 10.0 HIGH | 9.8 CRITICAL |
| Lens Peek-a-View has a password of 2601hx for the backdoor admin account, a password of user for the backdoor user account, and a password of guest for the backdoor guest account. | |||||
| CVE-2007-6759 | 1 Dataprobe | 2 Ibootbar, Ibootbar Firmware | 2017-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| Dataprobe iBootBar (with 2007-09-20 and possibly later released firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCRABBIT cookie. | |||||
| CVE-2015-8255 | 1 Axis | 1 Axis Communications Firmware | 2017-04-13 | 6.8 MEDIUM | 8.8 HIGH |
| AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi. | |||||
| CVE-2015-2886 | 1 Ibaby | 2 M6 Baby Monitor, M6 Baby Monitor Firmware | 2017-04-13 | 5.0 MEDIUM | 7.5 HIGH |
| iBaby M6 allows remote attackers to obtain sensitive information, related to the ibabycloud.com service. | |||||
| CVE-2015-2887 | 1 Ibaby | 2 M3s Baby Monitor, M3s Baby Monitor Firmware | 2017-04-13 | 10.0 HIGH | 9.8 CRITICAL |
| iBaby M3S has a password of admin for the backdoor admin account. | |||||
| CVE-2015-6035 | 1 Opsview | 1 Opsview | 2017-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Opsview before 2015-11-06 has XSS via SNMP. | |||||
| CVE-2015-2881 | 1 Gynoii | 3 Gcw-1010, Gcw-1020, Gpw-1025 | 2017-04-13 | 10.0 HIGH | 9.8 CRITICAL |
| Gynoii has a password of guest for the backdoor guest account and a password of 12345 for the backdoor admin account. | |||||
| CVE-2017-7581 | 1 News System Project | 1 News System | 2017-04-13 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed. | |||||
| CVE-2017-7589 | 1 Openidm Project | 1 Openidm | 2017-04-13 | 4.0 MEDIUM | 6.5 MEDIUM |
| In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the "anonymous" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js. | |||||
| CVE-2017-7591 | 1 Openidm Project | 1 Openidm | 2017-04-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenIDM through 4.0.0 and 4.5.0 is vulnerable to reflected cross-site scripting (XSS) attacks within the Admin UI, as demonstrated by the _sortKeys parameter to the authzRoles script under managed/user/. | |||||
| CVE-2016-9197 | 1 Cisco | 1 Mobility Services Engine | 2017-04-13 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI command parser of the Cisco Mobility Express 2800 and 3800 Series Wireless LAN Controllers could allow an authenticated, local attacker to obtain access to the underlying operating system shell with root-level privileges. More Information: CSCvb70351. Known Affected Releases: 8.3(102.0). | |||||
| CVE-2017-7604 | 1 Libaacplus Project | 1 Libaacplus | 2017-04-13 | 6.8 MEDIUM | 7.8 HIGH |
| au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. | |||||
| CVE-2017-7603 | 1 Libaacplus Project | 1 Libaacplus | 2017-04-13 | 6.8 MEDIUM | 7.8 HIGH |
| au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. | |||||
| CVE-2017-7570 | 1 Pivotx | 1 Pivotx | 2017-04-13 | 6.5 MEDIUM | 8.8 HIGH |
| PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension. | |||||
| CVE-2017-7566 | 1 Mybb | 1 Mybb | 2017-04-13 | 4.0 MEDIUM | 7.7 HIGH |
| MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. | |||||
| CVE-2016-6805 | 1 Apache | 1 Ignite | 2017-04-13 | 4.3 MEDIUM | 5.9 MEDIUM |
| Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents. | |||||
| CVE-2017-6513 | 1 Softaculous | 2 Virtualizor, Whmcs Reseller Module | 2017-04-13 | 6.5 MEDIUM | 9.9 CRITICAL |
| The WHMCS Reseller Module V2 2.0.2 in Softaculous Virtualizor before 2.9.1.0 does not verify the user correctly, which allows remote authenticated users to control other virtual machines managed by Virtualizor by accessing a modified URL. | |||||
| CVE-2017-7572 | 1 Backintime Project | 1 Backintime | 2017-04-12 | 9.3 HIGH | 8.1 HIGH |
| The _checkPolkitPrivilege function in serviceHelper.py in Back In Time (aka backintime) 1.1.18 and earlier uses a deprecated polkit authorization method (unix-process) that is subject to a race condition (time of check, time of use). With this authorization method, the owner of a process requesting a polkit operation is checked by polkitd via /proc/<pid>/status, by which time the requesting process may have been replaced by a different process with the same PID that has different privileges then the original requester. | |||||
| CVE-2017-7569 | 1 Vbulletin | 1 Vbulletin | 2017-04-12 | 5.0 MEDIUM | 8.6 HIGH |
| In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-6483 patch and conduct SSRF attacks by leveraging the behavior of the PHP parse_url function, aka VBV-17037. | |||||
| CVE-2017-7579 | 1 Phpmyfaq | 1 Phpmyfaq | 2017-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field. | |||||
| CVE-2017-6130 | 1 F5 | 2 Ssl Intercept Iapp, Ssl Orchestrator | 2017-04-12 | 5.8 MEDIUM | 7.4 HIGH |
| F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulnerable to a Server-Side Request Forgery (SSRF) attack when deployed using the Dynamic Domain Bypass (DDB) feature feature plus SNAT Auto Map option for egress traffic. | |||||
| CVE-2016-10319 | 1 Arm Trusted Firmware Project | 1 Arm Trusted Firmware | 2017-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC can result in copying unexpectedly large data into secure memory because of integer overflows. This affects certain cases involving execution of both AArch64 Generic Trusted Firmware (TF) BL1 code and other firmware update code. | |||||
| CVE-2015-4673 | 1 Clip-bucket | 1 Clipbucket | 2017-04-12 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in ClipBucket 2.7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the collection_description parameter to upload/manage_collections.php in an add_new action or the (2) photo_description, (3) photo_tags, or (4) photo_title parameter to upload/actions/photo_uploader.php. | |||||
| CVE-2016-1000307 | 1 Clip-bucket | 1 Clipbucket | 2017-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) Vulnerabilities in ClipBucket v2.8.1 and probably prior allow Remote Attackers to inject arbitrary web script or HTML via (1) profile_desc, about_me, schools, occupation, companies, hobbies, fav_movies, fav_music, fav_books parameters to ProfileSettings page; (2) note parameter to PersonalNotes Section; (3) closed_msg, description, allowed_types parameters to WebsiteConfigurations Section. NOTE: the collection_description vector is already covered by CVE-2015-4673. | |||||
| CVE-2017-6884 | 1 Zyxel | 2 Emg2926, Emg2926 Firmware | 2017-04-12 | 9.0 HIGH | 8.8 HIGH |
| A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI. | |||||
| CVE-2017-7565 | 1 Splunk | 1 Hadoop Connect | 2017-04-12 | 6.5 MEDIUM | 8.8 HIGH |
| Splunk Hadoop Connect App has a path traversal vulnerability that allows remote authenticated users to execute arbitrary code, aka ERP-2041. | |||||