Vulnerability Summary for the Week of December 26, 2016
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
cisco -- cloudcenter_orchestrator | A vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system. Affected Products: This vulnerability affect all releases of Cisco CloudCenter Orchestrator (CCO) deployments where the Docker Engine TCP port 2375 is open on the system and bound to local address 0.0.0.0 (any interface). | 2016-12-26 | 10.0 | CVE-2016-9223 BID CONFIRM |
debian -- debian_linux | Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. | 2016-12-23 | 7.5 | CVE-2016-7966 SUSE DEBIAN MLIST BID FEDORA |
hp -- thinpro | HP ThinPro 4.4 through 6.1 mishandles the keyboard layout control panel and virtual keyboard application, which allows local users to bypass intended access restrictions and gain privileges via unspecified vectors. | 2016-12-29 | 7.2 | CVE-2016-2246 HP BID |
kde -- kmail | KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed. | 2016-12-23 | 7.5 | CVE-2016-7968 MLIST BID MISC |
linux -- linux_kernel | The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option. | 2016-12-28 | 7.2 | CVE-2012-6704 CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device. | 2016-12-28 | 7.2 | CVE-2016-9576 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option. | 2016-12-28 | 7.2 | CVE-2016-9793 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated. | 2016-12-28 | 7.2 | CVE-2016-9806 CONFIRM MLIST CONFIRM MLIST BID CONFIRM CONFIRM |
modx -- modx_revolution | Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist. | 2016-12-24 | 7.5 | CVE-2016-10037 BID CONFIRM CONFIRM |
modx -- modx_revolution | Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/remove. | 2016-12-24 | 7.5 | CVE-2016-10038 BID CONFIRM CONFIRM |
modx -- modx_revolution | Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles. | 2016-12-24 | 7.5 | CVE-2016-10039 BID CONFIRM CONFIRM |
pivotal_software -- rabbitmq | An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected. | 2016-12-29 | 7.5 | CVE-2016-9877 BID CONFIRM |
s9y -- serendipity | include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file. | 2016-12-30 | 7.5 | CVE-2016-10082 CONFIRM CONFIRM |
shutter-project -- shutter | /usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Run a plugin" action. | 2016-12-29 | 9.3 | CVE-2016-10081 CONFIRM |
tarantool -- tarantool | An exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server. | 2016-12-23 | 7.8 | CVE-2016-9037 BID MISC |
vmware -- workstation_pro | Untrusted search path vulnerability in the installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. | 2016-12-29 | 7.2 | CVE-2016-7085 BID CONFIRM |
vmware -- workstation_pro | The installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse setup64.exe file in the installation directory. | 2016-12-29 | 7.2 | CVE-2016-7086 BID CONFIRM |
vmware -- vsphere_data_protection | VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session. | 2016-12-29 | 10.0 | CVE-2016-7456 BID SECTRACK CONFIRM |
vmware -- vrealize_operations | VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors. | 2016-12-29 | 8.0 | CVE-2016-7457 BID CONFIRM |
vmware -- fusion_pro | The drag-and-drop (aka DnD) function in VMware Workstation Pro 12.x before 12.5.2 and VMware Workstation Player 12.x before 12.5.2 and VMware Fusion and Fusion Pro 8.x before 8.5.2 allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (out-of-bounds memory access on the host OS) via unspecified vectors. | 2016-12-29 | 7.2 | CVE-2016-7461 BID CONFIRM |
vmware -- vrealize_operations | The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization. | 2016-12-29 | 7.5 | CVE-2016-7462 BID CONFIRM MISC |
Medium Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
antisamy_project -- antisamy | In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS. | 2016-12-24 | 4.3 | CVE-2016-10006 BID CONFIRM |
cisco -- intercloud_fabric | A vulnerability in Cisco Intercloud Fabric for Business and Cisco Intercloud Fabric for Providers could allow an unauthenticated, remote attacker to connect to the database used by these products. More Information: CSCus99394. Known Affected Releases: 7.3(0)ZN(0.99). | 2016-12-26 | 6.5 | CVE-2016-9217 BID CONFIRM |
cisco -- jabber_guest | A vulnerability in the Cisco Jabber Guest Server could allow an unauthenticated, remote attacker to initiate connections to arbitrary hosts. More Information: CSCvc31635. Known Affected Releases: 10.6(9). Known Fixed Releases: 11.0(0). | 2016-12-26 | 6.4 | CVE-2016-9224 BID SECTRACK CONFIRM |
google -- android | The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data. | 2016-12-23 | 4.3 | CVE-2016-6910 MISC BID |
imagemagick -- imagemagick | An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality. | 2016-12-23 | 6.8 | CVE-2016-8707 BID MISC |
kde -- kde-cli-tools | A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user. | 2016-12-23 | 4.0 | CVE-2016-7787 SUSE SUSE MLIST BID |
kde -- kmail | KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. | 2016-12-23 | 5.8 | CVE-2016-7967 MLIST BID MISC |
linux -- linux_kernel | fs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts. | 2016-12-28 | 4.7 | CVE-2016-6213 CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111. | 2016-12-28 | 6.9 | CVE-2016-6786 CONFIRM CONFIRM BID CONFIRM CONFIRM |
linux -- linux_kernel | kernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224. | 2016-12-28 | 6.9 | CVE-2016-6787 CONFIRM CONFIRM BID CONFIRM CONFIRM |
linux -- linux_kernel | Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations. | 2016-12-28 | 4.9 | CVE-2016-9685 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | The netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c. | 2016-12-28 | 4.6 | CVE-2016-9755 CONFIRM MLIST BID CONFIRM CONFIRM CONFIRM MLIST |
linux -- linux_kernel | KVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h. | 2016-12-28 | 6.9 | CVE-2016-9777 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command. | 2016-12-28 | 4.6 | CVE-2016-9794 CONFIRM MLIST BID CONFIRM CONFIRM CONFIRM |
novell -- leap | Turning all screens off in Plasma-workspace and kscreenlocker while the lock screen is shown can result in the screen being unlocked when turning a screen on again. | 2016-12-23 | 4.6 | CVE-2016-2312 FEDORA FEDORA MISC MISC CONFIRM |
pivotal_software -- spring_framework | An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. | 2016-12-29 | 5.0 | CVE-2016-9878 BID CONFIRM |
piwigo -- piwigo | Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case. | 2016-12-30 | 4.3 | CVE-2016-10083 CONFIRM CONFIRM |
piwigo -- piwigo | admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter). | 2016-12-30 | 6.5 | CVE-2016-10084 CONFIRM CONFIRM |
piwigo -- piwigo | admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter. | 2016-12-30 | 6.5 | CVE-2016-10085 CONFIRM CONFIRM |
qemu -- qemu | QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. | 2016-12-29 | 4.9 | CVE-2016-9846 MLIST MLIST BID MLIST |
qemu -- qemu | Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. | 2016-12-29 | 4.9 | CVE-2016-9913 CONFIRM MLIST MLIST BID MLIST |
qemu -- qemu | Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. | 2016-12-29 | 4.9 | CVE-2016-9914 CONFIRM MLIST MLIST BID MLIST |
qemu -- qemu | Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. | 2016-12-29 | 4.9 | CVE-2016-9915 CONFIRM MLIST MLIST BID MLIST |
qemu -- qemu | Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. | 2016-12-29 | 4.9 | CVE-2016-9916 CONFIRM MLIST MLIST BID MLIST |
siemens -- desigo_web_module_pxa40-w0_firmware | Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key. | 2016-12-23 | 5.0 | CVE-2016-9154 BID CONFIRM MISC |
sprecher-automation -- sprecon-e_service_program | An issue was discovered in Sprecher Automation SPRECON-E Service Program before 3.43 SP0. Under certain preconditions, it is possible to execute telegram simulation as a non-admin user. As prerequisites, a user must have created an online-connection, validly authenticated and authorized as administrator, and executed telegram simulation. After that, the online-connection must have been closed. Incorrect caching of client data then may lead to privilege escalation, where a subsequently acting non-admin user is permitted to do telegram simulation. In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to a service/maintenance computer with SPRECON-E Service Program running. Additionally, a valid admin-user must have closed the service connection beforehand without closing the program, having executed telegram simulation; the attacker then has access to the running software instance. Hence, there is no risk from external attackers. | 2016-12-25 | 4.6 | CVE-2016-10041 CONFIRM |
tarantool -- msgpuck | An exploitable incorrect return value vulnerability exists in the mp_check function of Tarantool's Msgpuck library 1.0.3. A specially crafted packet can cause the mp_check function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, resulting in a denial of service vulnerability. | 2016-12-23 | 5.0 | CVE-2016-9036 BID MISC |
tiki -- tikiwiki_cms/groupware | Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS. | 2016-12-23 | 4.3 | CVE-2016-9889 BID CONFIRM |
vmware -- identity_manger | VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors. | 2016-12-29 | 5.0 | CVE-2016-5334 BID CONFIRM |
vmware -- tools | The graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7080. | 2016-12-29 | 4.6 | CVE-2016-7079 BID CONFIRM |
vmware -- tools | The graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7079. | 2016-12-29 | 4.6 | CVE-2016-7080 BID CONFIRM |
vmware -- workstation_pro | Multiple heap-based buffer overflows in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS via unspecified vectors. | 2016-12-29 | 6.9 | CVE-2016-7081 BID CONFIRM |
vmware -- workstation_pro | VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via an EMF file. | 2016-12-29 | 5.9 | CVE-2016-7082 BID CONFIRM |
vmware -- workstation_pro | VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via TrueType fonts embedded in EMFSPOOL. | 2016-12-29 | 5.9 | CVE-2016-7083 BID CONFIRM |
vmware -- workstation_pro | tpview.dll in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via a JPEG 2000 image. | 2016-12-29 | 6.9 | CVE-2016-7084 BID CONFIRM |
vmware -- horizon_view | Directory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers to obtain sensitive information via unspecified vectors. | 2016-12-29 | 5.0 | CVE-2016-7087 BID CONFIRM |
vmware -- vsphere_client | VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 2016-12-29 | 5.0 | CVE-2016-7458 BID CONFIRM |
vmware -- vcenter_server | VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 2016-12-29 | 4.0 | CVE-2016-7459 BID CONFIRM |
vmware -- vrealize_automation | The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 2016-12-29 | 6.4 | CVE-2016-7460 BID CONFIRM |
Low Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
dotclear -- dotclear | Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title). | 2016-12-29 | 3.5 | CVE-2016-9891 BID CONFIRM CONFIRM CONFIRM CONFIRM MISC |
linux -- linux_kernel | arch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest. | 2016-12-28 | 2.1 | CVE-2016-9588 CONFIRM MLIST BID CONFIRM CONFIRM |
linux -- linux_kernel | arch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application. | 2016-12-28 | 2.1 | CVE-2016-9756 CONFIRM CONFIRM MLIST BID CONFIRM CONFIRM |
pivotal_software -- cloud_foundry | Cloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider. | 2016-12-23 | 2.6 | CVE-2016-6659 BID CONFIRM |
qemu -- qemu | QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue. | 2016-12-29 | 2.1 | CVE-2015-8701 MLIST MLIST BID CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes. | 2016-12-29 | 3.6 | CVE-2015-8743 MLIST MLIST BID CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. | 2016-12-29 | 2.1 | CVE-2015-8744 CONFIRM MLIST MLIST BID CONFIRM |
qemu -- qemu | QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. | 2016-12-29 | 2.1 | CVE-2015-8745 CONFIRM MLIST MLIST BID SECTRACK CONFIRM |
qemu -- qemu | The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors. | 2016-12-29 | 2.1 | CVE-2015-8818 CONFIRM MLIST MLIST CONFIRM |
qemu -- qemu | QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue. | 2016-12-29 | 2.1 | CVE-2016-1922 MLIST MLIST BID CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS. | 2016-12-29 | 2.1 | CVE-2016-1981 MLIST MLIST BID CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS. | 2016-12-29 | 2.1 | CVE-2016-2197 MLIST MLIST BID CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS. | 2016-12-29 | 2.1 | CVE-2016-2198 MLIST MLIST CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS. | 2016-12-29 | 2.1 | CVE-2016-9776 MLIST MLIST BID CONFIRM MLIST |
qemu -- qemu | QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes. | 2016-12-29 | 2.1 | CVE-2016-9845 MLIST MLIST BID MLIST |
qemu -- qemu | Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. | 2016-12-23 | 2.1 | CVE-2016-9907 MLIST BID |
qemu -- qemu | Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes. | 2016-12-23 | 2.1 | CVE-2016-9908 MLIST BID |
qemu -- qemu | Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. | 2016-12-23 | 2.1 | CVE-2016-9911 MLIST BID |
qemu -- qemu | Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. | 2016-12-23 | 2.1 | CVE-2016-9912 MLIST BID |
qemu -- qemu | Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. | 2016-12-23 | 2.1 | CVE-2016-9921 MLIST BID |
qemu -- qemu | Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS. | 2016-12-23 | 2.1 | CVE-2016-9923 MLIST BID |
s9y -- serendipity | Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name. | 2016-12-25 | 3.5 | CVE-2016-9681 BID MISC MISC |
vmware -- tools | VMware Tools 9.x and 10.x before 10.1.0 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors. | 2016-12-29 | 2.1 | CVE-2016-5328 BID CONFIRM |
vmware -- fusion | VMware Fusion 8.x before 8.5 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors. | 2016-12-29 | 2.1 | CVE-2016-5329 BID CONFIRM |
vmware -- esxi | Cross-site scripting (XSS) vulnerability in the Host Client in VMware vSphere Hypervisor (aka ESXi) 5.5 and 6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted VM. | 2016-12-29 | 3.5 | CVE-2016-7463 BID SECTRACK CONFIRM |
Severity Not Yet Assigned
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
libvncserver -- libvncclient | Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area. | 2016-12-31 | not yet calculated | CVE-2016-9941 CONFIRM CONFIRM |
libvncserver -- libvncclient | Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions. | 2016-12-31 | not yet calculated | CVE-2016-9942 CONFIRM CONFIRM |
linux -- linux_kernel | The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. | 2016-12-30 | not yet calculated | CVE-2016-10088 CONFIRM MLIST CONFIRM |
phpmailer -- phpmailer | The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. | 2016-12-30 | not yet calculated | CVE-2016-10045 MLIST MISC FULLDISC BUGTRAQ BID CONFIRM CONFIRM CONFIRM MISC EXPLOIT-DB |
phpmailer -- phpmailer | The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address. | 2016-12-30 | not yet calculated | CVE-2016-10033 MISC FULLDISC BUGTRAQ BID CONFIRM CONFIRM CONFIRM MISC CONFIRM EXPLOIT-DB EXPLOIT-DB |
qemu -- qemu | QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS. | 2016-12-29 | not yet calculated | CVE-2015-8817 CONFIRM CONFIRM MLIST MLIST CONFIRM MLIST |
sap_hybris -- hybris_management_console | Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. | 2016-12-31 | not yet calculated | CVE-2016-6857 MISC |
sap_hybris -- hybris_management_console | Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. | 2016-12-31 | not yet calculated | CVE-2016-6858 MISC |
sap_hybris -- hybris_management_console | Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. | 2016-12-31 | not yet calculated | CVE-2016-6856 MISC |
sap_hybris -- hybris_management_console | Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. | 2016-12-31 | not yet calculated | CVE-2016-6859 MISC |
shutter -- shutter | App/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Show in Folder" action. | 2016-12-29 | not yet calculated | CVE-2015-0854 CONFIRM |
swift_mailer -- swift_mailer | The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header. | 2016-12-30 | not yet calculated | CVE-2016-10074 MISC FULLDISC BID CONFIRM MISC EXPLOIT-DB |
zend -- zend | The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. | 2016-12-30 | not yet calculated | CVE-2016-10034 BID CONFIRM MISC |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.