Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-5750 | 1 Netiq | 1 Access Manager | 2017-03-24 | 6.5 MEDIUM | 8.8 HIGH |
| The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users. | |||||
| CVE-2016-5748 | 1 Netiq | 1 Access Manager | 2017-03-24 | 2.1 LOW | 5.5 MEDIUM |
| External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users. | |||||
| CVE-2016-5749 | 1 Netiq | 1 Access Manager | 2017-03-24 | 2.1 LOW | 5.5 MEDIUM |
| NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack. | |||||
| CVE-2016-1597 | 1 Netiq | 1 Access Governance Suite | 2017-03-24 | 9.0 HIGH | 8.8 HIGH |
| A logged-in user in NetIQ Access Governance Suite 6.0 through 6.4 could escalate privileges to administrator. | |||||
| CVE-2017-6189 | 1 Amazon | 1 Kindle For Pc | 2017-03-24 | 4.4 MEDIUM | 7.3 HIGH |
| Untrusted search path vulnerability in Amazon Kindle for PC before 1.19 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL in the current working directory of the Kindle Setup installer. | |||||
| CVE-2016-5755 | 1 Netiq | 1 Access Manager | 2017-03-24 | 4.3 MEDIUM | 6.5 MEDIUM |
| NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to clickjacking attacks due to a missing SAMEORIGIN filter in the "high encryption" setting. | |||||
| CVE-2016-5756 | 1 Netiq | 1 Access Manager | 2017-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple components of the web tools in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 were vulnerable to Reflected Cross Site Scripting attacks which could be used to hijack user sessions: nps/servlet/frameservice, nps/servlet/webacc, roma/admin/cntl, roma/jsp/admin/appliance/devicedetail_edit.jsp, roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp, roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp, roma/jsp/volsc/monitoring/appliance.jsp, and roma/jsp/volsc/monitoring/graph.jsp. | |||||
| CVE-2014-9915 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| Off-by-one error in ImageMagick before 6.6.0-4 allows remote attackers to cause a denial of service (application crash) via a crafted 8BIM profile. | |||||
| CVE-2016-5754 | 1 Netiq | 1 Access Manager | 2017-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Presence of a .htaccess file could leak information in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before SP2. | |||||
| CVE-2016-4504 | 1 Meteocontrol | 1 Weblog | 2017-03-24 | 6.8 MEDIUM | 8.8 HIGH |
| A Cross-Site Request Forgery issue was discovered in Meteocontrol WEB'log Basic 100 all versions, Light all versions, Pro all versions, and Pro Unlimited all versions. There is no CSRF Token generated per page or per function. | |||||
| CVE-2015-8954 | 1 Openinfosecfoundation | 1 Suricata | 2017-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| The MemcmpLowercase function in Suricata before 2.0.6 improperly excludes the first byte from comparisons, which might allow remote attackers to bypass intrusion-prevention functionality via a crafted HTTP request. | |||||
| CVE-2016-10046 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| Heap-based buffer overflow in the DrawImage function in magick/draw.c in ImageMagick before 6.9.5-5 allows remote attackers to cause a denial of service (application crash) via a crafted image file. | |||||
| CVE-2016-10047 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 7.1 HIGH | 5.5 MEDIUM |
| Memory leak in the NewXMLTree function in magick/xml-tree.c in ImageMagick before 6.9.4-7 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML file. | |||||
| CVE-2016-10048 | 2 Imagemagick, Opensuse Project | 2 Imagemagick, Leap | 2017-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in magick/module.c in ImageMagick 6.9.4-7 allows remote attackers to load arbitrary modules via unspecified vectors. | |||||
| CVE-2014-9840 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted palm file. | |||||
| CVE-2014-9838 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| magick/cache.c in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (crash). | |||||
| CVE-2014-9839 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 5.0 MEDIUM | 7.5 HIGH |
| magick/colormap-private.h in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access). | |||||
| CVE-2014-9832 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 6.8 MEDIUM | 7.8 HIGH |
| Heap overflow in ImageMagick 6.8.9-9 via a crafted pcx file. | |||||
| CVE-2014-9833 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 6.8 MEDIUM | 7.8 HIGH |
| Heap overflow in ImageMagick 6.8.9-9 via a crafted psd file. | |||||
| CVE-2014-9834 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 6.8 MEDIUM | 7.8 HIGH |
| Heap overflow in ImageMagick 6.8.9-9 via a crafted pict file. | |||||
| CVE-2014-9835 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 6.8 MEDIUM | 7.8 HIGH |
| Heap overflow in ImageMagick 6.8.9-9 via a crafted wpf file. | |||||
| CVE-2014-9836 | 1 Imagemagick | 1 Imagemagick | 2017-03-24 | 4.3 MEDIUM | 5.5 MEDIUM |
| ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service via a crafted xpm file. | |||||
| CVE-2017-2577 | 2017-03-24 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2009-2197 | 1 Apple | 1 Safari | 2017-03-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| Apple Safari before 9.1 allows remote attackers to spoof the user interface via a web page that places text in a crafted context, leading to unintended use of that text within a Safari dialog. | |||||
| CVE-2012-1574 | 2 Apache, Cloudera | 3 Hadoop, Cloudera Cdh, Hadoop | 2017-03-24 | 6.5 MEDIUM | N/A |
| The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. | |||||
| CVE-2012-3376 | 1 Apache | 1 Hadoop | 2017-03-24 | 7.5 HIGH | N/A |
| DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts. | |||||
| CVE-2013-2192 | 1 Apache | 1 Hadoop | 2017-03-24 | 3.2 LOW | N/A |
| The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. | |||||
| CVE-2013-2193 | 1 Apache | 1 Hbase | 2017-03-24 | 4.3 MEDIUM | N/A |
| Apache HBase 0.92.x before 0.92.3 and 0.94.x before 0.94.9, when the Kerberos features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information via unspecified vectors. | |||||
| CVE-2015-0757 | 1 Cisco | 1 Identity Services Engine Software | 2017-03-24 | 5.0 MEDIUM | N/A |
| The web framework in Cisco Identity Services Engine (ISE) 1.2(1.901) and 1.3(0.722) does not properly implement session handlers, which allows remote attackers to obtain sensitive information by reading web pages, as demonstrated by MnT reports, aka Bug ID CSCuq23140. | |||||
| CVE-2015-1772 | 2 Apache, Ibm | 2 Hive, Infosphere Biginsights | 2017-03-24 | 4.3 MEDIUM | 7.3 HIGH |
| The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request. | |||||
| CVE-2015-1836 | 2 Apache, Ibm | 2 Hbase, Infosphere Biginsights | 2017-03-24 | 7.5 HIGH | 7.3 HIGH |
| Apache HBase 0.98 before 0.98.12.1, 1.0 before 1.0.1.1, and 1.1 before 1.1.0.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, uses incorrect ACLs for ZooKeeper coordination state, which allows remote attackers to cause a denial of service (daemon outage), obtain sensitive information, or modify data via unspecified client traffic. | |||||
| CVE-2015-2050 | 1 D-link | 2 Dap-1320, Dap-1320 Firmware | 2017-03-24 | 10.0 HIGH | N/A |
| D-Link DAP-1320 Rev Ax with firmware before 1.21b05 allows attackers to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2015-7799 | 1 Linux | 1 Linux Kernel | 2017-03-24 | 4.9 MEDIUM | N/A |
| The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call. | |||||
| CVE-2016-1771 | 1 Apple | 1 Safari | 2017-03-24 | 7.1 HIGH | 6.5 MEDIUM |
| The Downloads feature in Apple Safari before 9.1 mishandles file expansion, which allows remote attackers to cause a denial of service via a crafted web site. | |||||
| CVE-2016-1772 | 1 Apple | 1 Safari | 2017-03-24 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Top Sites feature in Apple Safari before 9.1 mishandles cookie storage, which makes it easier for remote web servers to track users via unspecified vectors. | |||||
| CVE-2016-4617 | 1 Apple | 1 Mac Os X | 2017-03-24 | 4.6 MEDIUM | 8.8 HIGH |
| An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involves a sandbox escape related to launchctl process spawning in the "libxpc" component. | |||||
| CVE-2017-5874 | 1 D-link | 2 Dir-600m, Dir-600m Firmware | 2017-03-24 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists on D-Link DIR-600M Rev. Cx devices before v3.05ENB01_beta_20170306. This can be used to bypass authentication and insert XSS sequences or possibly have unspecified other impact. | |||||
| CVE-2017-7202 | 1 Slims | 1 Slims7 Cendana | 2017-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana before 2017-03-16. The vulnerabilities exist due to insufficient filtration of user-supplied data (id) passed to the 'slims7_cendana-master/template/default/detail_template.php' and 'slims7_cendana-master/template/default-rtl/detail_template.php' URLs. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-7204 | 1 Imdbphp Project | 1 Imdbphp | 2017-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) was discovered in imdbphp 5.1.1. The vulnerability exists due to insufficient filtration of user-supplied data (name) passed to the "imdbphp-master/demo/search.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-7205 | 1 Gamepanelx | 1 Gamepanelx-v3 | 2017-03-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. The vulnerability exists due to insufficient filtration of user-supplied data (a) passed to the "GamePanelX-V3-master/ajax/ajax.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-1155 | 1 Ibm | 1 Algo One | 2017-03-23 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could allow a user to gain access to another user's reports using a specially crafted HTTP request. IBM Reference #: 1999754. | |||||
| CVE-2016-9165 | 1 Ca | 2 Unified Infrastructure Management, Unified Infrastructure Management Snap | 2017-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| The get_sessions servlet in CA Unified Infrastructure Management (formerly CA Nimsoft Monitor) before 8.5 and CA Unified Infrastructure Management Snap (formerly CA Nimsoft Monitor Snap) allows remote attackers to obtain active session ids and consequently bypass authentication or gain privileges via unspecified vectors. | |||||
| CVE-2017-3899 | 1 Mcafee | 1 Advanced Threat Defense | 2017-03-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| SQL injection vulnerability in Intel Security Advanced Threat Defense (ATD) Linux 3.6.0 and earlier allows remote authenticated users to obtain product information via a crafted HTTP request parameter. | |||||
| CVE-2017-6909 | 1 Shishnet | 1 Shimmie | 2017-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Shimmie <= 2.5.1. The vulnerability exists due to insufficient filtration of user-supplied data (log) passed to the "shimmie2-master/ext/chatbox/history/index.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2015-8992 | 1 Mcafee | 3 Cloud Av, Security Scan Plus, Security Webadvisor | 2017-03-23 | 6.9 MEDIUM | 7.0 HIGH |
| Malicious file execution vulnerability in Intel Security WebAdvisor before 4.0.2, 4.0.1 and 3.7.2 allows attackers to make the product momentarily vulnerable via executing preexisting specifically crafted malware during installation or uninstallation, but not during normal operation. | |||||
| CVE-2014-9921 | 1 Mcafee | 1 Cloud Analysis And Deconstructive Services | 2017-03-23 | 9.7 HIGH | 9.8 CRITICAL |
| Information disclosure vulnerability in McAfee (now Intel Security) Cloud Analysis and Deconstructive Services (CADS) 1.0.0.3x, 1.0.0.4d and earlier allows remote unauthenticated users to view, add, and remove users via a configuration error. | |||||
| CVE-2017-6905 | 1 Concrete5 | 1 Concrete5 | 2017-03-23 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (disable_choose) passed to the "concrete5-legacy-master/web/concrete/tools/files/search_dialog.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2015-8990 | 1 Mcafee | 1 Advanced Threat Defense | 2017-03-23 | 5.0 MEDIUM | 7.5 HIGH |
| Detection bypass vulnerability in Intel Security Advanced Threat Defense (ATD) 3.4.6 and earlier allows malware samples to bypass ATD detection via renaming the malware. | |||||
| CVE-2015-8988 | 1 Mcafee | 1 Epo Deep Command | 2017-03-23 | 6.5 MEDIUM | 8.8 HIGH |
| Unquoted executable path vulnerability in Client Management and Gateway components in McAfee (now Intel Security) ePO Deep Command (eDC) 2.2 and 2.1 allows authenticated users to execute a command of their choice via dropping a malicious file for the path. | |||||
| CVE-2017-6803 | 1 Solarwinds | 1 Ftp Voyager | 2017-03-23 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in the Scheduler in SolarWinds (formerly Serv-U) FTP Voyager 16.2.0 allow remote attackers to hijack the authentication of users for requests that (1) change the admin password, (2) terminate the scheduler, or (3) possibly execute arbitrary commands via crafted requests to Admin/XML/Result.xml. | |||||