Search Results (Refine Search)
- Category (CWE): CWE-20 Improper Input Validation
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2017-14105 |
HiveManager Classic through 8.1r1 allows arbitrary JSP code execution by modifying a backup archive before a restore, because the restore feature does not validate pathnames within the archive. An authenticated, local attacker - even restricted as a tenant - can add a jsp at HiveManager/tomcat/webapps/hm/domains/$yourtenant/maps (it will be exposed at the web interface). Published: September 01, 2017; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.8 HIGH V2.0: 7.2 HIGH |
CVE-2017-3898 |
A man-in-the-middle attack vulnerability in the non-certificate-based authentication mechanism in McAfee LiveSafe (MLS) versions prior to 16.0.3 allows network attackers to modify the Windows registry value associated with the McAfee update via the HTTP backend-response. Published: September 01, 2017; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 5.9 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-12869 |
The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. Published: September 01, 2017; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-0901 |
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. Published: August 31, 2017; 4:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 6.4 MEDIUM |
CVE-2017-0900 |
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. Published: August 31, 2017; 4:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-14063 |
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL. Published: August 31, 2017; 12:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-9945 |
In the Siemens 7KM PAC Switched Ethernet PROFINET expansion module (All versions < V2.1.3), a Denial-of-Service condition could be induced by a specially crafted PROFINET DCP packet sent as a local Ethernet (Layer 2) broadcast. The affected component requires a manual restart via the main device to recover. Published: August 30, 2017; 3:29:00 PM -0400 |
V4.0:(not available) V3.0: 6.5 MEDIUM V2.0: 6.1 MEDIUM |
CVE-2016-4462 |
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 Published: August 30, 2017; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2017-13767 |
In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation. Published: August 30, 2017; 5:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 7.8 HIGH |
CVE-2017-1428 |
IBM Cognos Analytics 11.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 127583. Published: August 29, 2017; 5:29:00 PM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2016-2977 |
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user to lower other users hands in the meeting. IBM X-Force ID: 113937. Published: August 29, 2017; 2:29:00 PM -0400 |
V4.0:(not available) V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2016-10503 |
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow an authenticated and invited user of Sametime meeting to lower any or all hands in an e-meeting, thus spoofing results of votes in the meeting. IBM X-Force ID: 113803. Published: August 29, 2017; 2:29:00 PM -0400 |
V4.0:(not available) V3.0: 4.3 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2017-12775 |
qa-include/qa-install.php in Question2Answer before 1.7.5 allows remote attackers to create multiple user accounts. Published: August 29, 2017; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2015-5209 |
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. Published: August 29, 2017; 11:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-10952 |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.2.0.2051. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the saveAs JavaScript function. The issue results from the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4518. Published: August 29, 2017; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-13735 |
There is a floating point exception in the kodak_radc_load_raw function in dcraw_common.cpp in LibRaw 0.18.2. It will lead to a remote denial of service attack. Published: August 29, 2017; 2:29:00 AM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2017-13685 |
The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file. Published: August 29, 2017; 2:29:00 AM -0400 |
V4.0:(not available) V3.0: 5.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-2254 |
Cybozu Garoon 3.5.0 to 4.2.5 allows an attacker to cause a denial of service in the application menu's edit function via specially crafted input Published: August 28, 2017; 9:35:13 PM -0400 |
V4.0:(not available) V3.0: 4.9 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2015-0234 |
Multiple temporary file creation vulnerabilities in pki-core 10.2.0. Published: August 28, 2017; 9:35:12 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2015-1554 |
kgb-bot 1.33-2 allows remote attackers to cause a denial of service (crash). Published: August 28, 2017; 3:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |