Vulnerability Summary for the Week of December 26, 2016

Released
Jan 02, 2017
Document ID
SB17-002

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
cisco -- cloudcenter_orchestratorA vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system. Affected Products: This vulnerability affect all releases of Cisco CloudCenter Orchestrator (CCO) deployments where the Docker Engine TCP port 2375 is open on the system and bound to local address 0.0.0.0 (any interface).2016-12-2610.0CVE-2016-9223
BID
CONFIRM
debian -- debian_linuxThrough a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.2016-12-237.5CVE-2016-7966
SUSE
DEBIAN
MLIST
BID
FEDORA
hp -- thinproHP ThinPro 4.4 through 6.1 mishandles the keyboard layout control panel and virtual keyboard application, which allows local users to bypass intended access restrictions and gain privileges via unspecified vectors.2016-12-297.2CVE-2016-2246
HP
BID
kde -- kmailKMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.2016-12-237.5CVE-2016-7968
MLIST
BID
MISC
linux -- linux_kernelThe sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option.2016-12-287.2CVE-2012-6704
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelThe blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.2016-12-287.2CVE-2016-9576
CONFIRM
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelThe sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.2016-12-287.2CVE-2016-9793
CONFIRM
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelRace condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel before 4.6.3 allows local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that makes sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated.2016-12-287.2CVE-2016-9806
CONFIRM
MLIST
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
modx -- modx_revolutionDirectory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist.2016-12-247.5CVE-2016-10037
BID
CONFIRM
CONFIRM
modx -- modx_revolutionDirectory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/remove.2016-12-247.5CVE-2016-10038
BID
CONFIRM
CONFIRM
modx -- modx_revolutionDirectory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles.2016-12-247.5CVE-2016-10039
BID
CONFIRM
CONFIRM
pivotal_software -- rabbitmqAn issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.5.20, 1.6.x before 1.6.12, and 1.7.x before 1.7.7. MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected.2016-12-297.5CVE-2016-9877
BID
CONFIRM
s9y -- serendipityinclude/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file.2016-12-307.5CVE-2016-10082
CONFIRM
CONFIRM
shutter-project -- shutter/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Run a plugin" action.2016-12-299.3CVE-2016-10081
CONFIRM
tarantool -- tarantoolAn exploitable out-of-bounds array access vulnerability exists in the xrow_header_decode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified key's value. This can lead to an out of bounds read within the context of the server. An attacker who exploits this vulnerability can cause a denial of service vulnerability on the server.2016-12-237.8CVE-2016-9037
BID
MISC
vmware -- workstation_proUntrusted search path vulnerability in the installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.2016-12-297.2CVE-2016-7085
BID
CONFIRM
vmware -- workstation_proThe installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse setup64.exe file in the installation directory.2016-12-297.2CVE-2016-7086
BID
CONFIRM
vmware -- vsphere_data_protectionVMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.2016-12-2910.0CVE-2016-7456
BID
SECTRACK
CONFIRM
vmware -- vrealize_operationsVMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors.2016-12-298.0CVE-2016-7457
BID
CONFIRM
vmware -- fusion_proThe drag-and-drop (aka DnD) function in VMware Workstation Pro 12.x before 12.5.2 and VMware Workstation Player 12.x before 12.5.2 and VMware Fusion and Fusion Pro 8.x before 8.5.2 allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (out-of-bounds memory access on the host OS) via unspecified vectors.2016-12-297.2CVE-2016-7461
BID
CONFIRM
vmware -- vrealize_operationsThe Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.2016-12-297.5CVE-2016-7462
BID
CONFIRM
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
antisamy_project -- antisamyIn OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.2016-12-244.3CVE-2016-10006
BID
CONFIRM
cisco -- intercloud_fabricA vulnerability in Cisco Intercloud Fabric for Business and Cisco Intercloud Fabric for Providers could allow an unauthenticated, remote attacker to connect to the database used by these products. More Information: CSCus99394. Known Affected Releases: 7.3(0)ZN(0.99).2016-12-266.5CVE-2016-9217
BID
CONFIRM
cisco -- jabber_guestA vulnerability in the Cisco Jabber Guest Server could allow an unauthenticated, remote attacker to initiate connections to arbitrary hosts. More Information: CSCvc31635. Known Affected Releases: 10.6(9). Known Fixed Releases: 11.0(0).2016-12-266.4CVE-2016-9224
BID
SECTRACK
CONFIRM
google -- androidThe non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data.2016-12-234.3CVE-2016-6910
MISC
BID
imagemagick -- imagemagickAn exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks's convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.2016-12-236.8CVE-2016-8707
BID
MISC
kde -- kde-cli-toolsA maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.2016-12-234.0CVE-2016-7787
SUSE
SUSE
MLIST
BID
kde -- kmailKMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.2016-12-235.8CVE-2016-7967
MLIST
BID
MISC
linux -- linux_kernelfs/namespace.c in the Linux kernel before 4.9 does not restrict how many mounts may exist in a mount namespace, which allows local users to cause a denial of service (memory consumption and deadlock) via MS_BIND mount system calls, as demonstrated by a loop that triggers exponential growth in the number of mounts.2016-12-284.7CVE-2016-6213
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelkernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 30955111.2016-12-286.9CVE-2016-6786
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
linux -- linux_kernelkernel/events/core.c in the performance subsystem in the Linux kernel before 4.0 mismanages locks during certain migrations, which allows local users to gain privileges via a crafted application, aka Android internal bug 31095224.2016-12-286.9CVE-2016-6787
CONFIRM
CONFIRM
BID
CONFIRM
CONFIRM
linux -- linux_kernelMultiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel before 4.5.1 allow local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations.2016-12-284.9CVE-2016-9685
CONFIRM
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelThe netfilter subsystem in the Linux kernel before 4.9 mishandles IPv6 reassembly, which allows local users to cause a denial of service (integer overflow, out-of-bounds write, and GPF) or possibly have unspecified other impact via a crafted application that makes socket, connect, and writev system calls, related to net/ipv6/netfilter/nf_conntrack_reasm.c and net/ipv6/netfilter/nf_defrag_ipv6_hooks.c.2016-12-284.6CVE-2016-9755
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
MLIST
linux -- linux_kernelKVM in the Linux kernel before 4.8.12, when I/O APIC is enabled, does not properly restrict the VCPU index, which allows guest OS users to gain host OS privileges or cause a denial of service (out-of-bounds array access and host OS crash) via a crafted interrupt request, related to arch/x86/kvm/ioapic.c and arch/x86/kvm/ioapic.h.2016-12-286.9CVE-2016-9777
CONFIRM
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelRace condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel before 4.7 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command.2016-12-284.6CVE-2016-9794
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
novell -- leapTurning all screens off in Plasma-workspace and kscreenlocker while the lock screen is shown can result in the screen being unlocked when turning a screen on again.2016-12-234.6CVE-2016-2312
FEDORA
FEDORA
MISC
MISC
CONFIRM
pivotal_software -- spring_frameworkAn issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.2016-12-295.0CVE-2016-9878
BID
CONFIRM
piwigo -- piwigoCross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.2016-12-304.3CVE-2016-10083
CONFIRM
CONFIRM
piwigo -- piwigoadmin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter).2016-12-306.5CVE-2016-10084
CONFIRM
CONFIRM
piwigo -- piwigoadmin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter.2016-12-306.5CVE-2016-10085
CONFIRM
CONFIRM
qemu -- qemuQEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.2016-12-294.9CVE-2016-9846
MLIST
MLIST
BID
MLIST
qemu -- qemuMemory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup.2016-12-294.9CVE-2016-9913
CONFIRM
MLIST
MLIST
BID
MLIST
qemu -- qemuMemory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations.2016-12-294.9CVE-2016-9914
CONFIRM
MLIST
MLIST
BID
MLIST
qemu -- qemuMemory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend.2016-12-294.9CVE-2016-9915
CONFIRM
MLIST
MLIST
BID
MLIST
qemu -- qemuMemory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend.2016-12-294.9CVE-2016-9916
CONFIRM
MLIST
MLIST
BID
MLIST
siemens -- desigo_web_module_pxa40-w0_firmwareSiemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.2016-12-235.0CVE-2016-9154
BID
CONFIRM
MISC
sprecher-automation -- sprecon-e_service_programAn issue was discovered in Sprecher Automation SPRECON-E Service Program before 3.43 SP0. Under certain preconditions, it is possible to execute telegram simulation as a non-admin user. As prerequisites, a user must have created an online-connection, validly authenticated and authorized as administrator, and executed telegram simulation. After that, the online-connection must have been closed. Incorrect caching of client data then may lead to privilege escalation, where a subsequently acting non-admin user is permitted to do telegram simulation. In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to a service/maintenance computer with SPRECON-E Service Program running. Additionally, a valid admin-user must have closed the service connection beforehand without closing the program, having executed telegram simulation; the attacker then has access to the running software instance. Hence, there is no risk from external attackers.2016-12-254.6CVE-2016-10041
CONFIRM
tarantool -- msgpuckAn exploitable incorrect return value vulnerability exists in the mp_check function of Tarantool's Msgpuck library 1.0.3. A specially crafted packet can cause the mp_check function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, resulting in a denial of service vulnerability.2016-12-235.0CVE-2016-9036
BID
MISC
tiki -- tikiwiki_cms/groupwareSome forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS.2016-12-234.3CVE-2016-9889
BID
CONFIRM
vmware -- identity_mangerVMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.2016-12-295.0CVE-2016-5334
BID
CONFIRM
vmware -- toolsThe graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7080.2016-12-294.6CVE-2016-7079
BID
CONFIRM
vmware -- toolsThe graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7079.2016-12-294.6CVE-2016-7080
BID
CONFIRM
vmware -- workstation_proMultiple heap-based buffer overflows in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS via unspecified vectors.2016-12-296.9CVE-2016-7081
BID
CONFIRM
vmware -- workstation_proVMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via an EMF file.2016-12-295.9CVE-2016-7082
BID
CONFIRM
vmware -- workstation_proVMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via TrueType fonts embedded in EMFSPOOL.2016-12-295.9CVE-2016-7083
BID
CONFIRM
vmware -- workstation_protpview.dll in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via a JPEG 2000 image.2016-12-296.9CVE-2016-7084
BID
CONFIRM
vmware -- horizon_viewDirectory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers to obtain sensitive information via unspecified vectors.2016-12-295.0CVE-2016-7087
BID
CONFIRM
vmware -- vsphere_clientVMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2016-12-295.0CVE-2016-7458
BID
CONFIRM
vmware -- vcenter_serverVMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2016-12-294.0CVE-2016-7459
BID
CONFIRM
vmware -- vrealize_automationThe Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2016-12-296.4CVE-2016-7460
BID
CONFIRM

Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
dotclear -- dotclearCross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title).2016-12-293.5CVE-2016-9891
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
MISC
linux -- linux_kernelarch/x86/kvm/vmx.c in the Linux kernel through 4.9 mismanages the #BP and #OF exceptions, which allows guest OS users to cause a denial of service (guest OS crash) by declining to handle an exception thrown by an L2 guest.2016-12-282.1CVE-2016-9588
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
linux -- linux_kernelarch/x86/kvm/emulate.c in the Linux kernel before 4.8.12 does not properly initialize Code Segment (CS) in certain error cases, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.2016-12-282.1CVE-2016-9756
CONFIRM
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
pivotal_software -- cloud_foundryCloud Foundry before 248; UAA 2.x before 2.7.4.12, 3.x before 3.6.5, and 3.7.x through 3.9.x before 3.9.3; and UAA bosh release (aka uaa-release) before 13.9 for UAA 3.6.5 and before 24 for UAA 3.9.3 allow attackers to gain privileges by accessing UAA logs and subsequently running a specially crafted application that interacts with a configured SAML provider.2016-12-232.6CVE-2016-6659
BID
CONFIRM
qemu -- qemuQEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.2016-12-292.1CVE-2015-8701
MLIST
MLIST
BID
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes.2016-12-293.6CVE-2015-8743
MLIST
MLIST
BID
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.2016-12-292.1CVE-2015-8744
CONFIRM
MLIST
MLIST
BID
CONFIRM
qemu -- qemuQEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS.2016-12-292.1CVE-2015-8745
CONFIRM
MLIST
MLIST
BID
SECTRACK
CONFIRM
qemu -- qemuThe cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors.2016-12-292.1CVE-2015-8818
CONFIRM
MLIST
MLIST
CONFIRM
qemu -- qemuQEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue.2016-12-292.1CVE-2016-1922
MLIST
MLIST
BID
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS.2016-12-292.1CVE-2016-1981
MLIST
MLIST
BID
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS.2016-12-292.1CVE-2016-2197
MLIST
MLIST
BID
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.2016-12-292.1CVE-2016-2198
MLIST
MLIST
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.2016-12-292.1CVE-2016-9776
MLIST
MLIST
BID
CONFIRM
MLIST
qemu -- qemuQEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.2016-12-292.1CVE-2016-9845
MLIST
MLIST
BID
MLIST
qemu -- qemuQuick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.2016-12-232.1CVE-2016-9907
MLIST
BID
qemu -- qemuQuick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes.2016-12-232.1CVE-2016-9908
MLIST
BID
qemu -- qemuQuick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host.2016-12-232.1CVE-2016-9911
MLIST
BID
qemu -- qemuQuick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host.2016-12-232.1CVE-2016-9912
MLIST
BID
qemu -- qemuQuick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS.2016-12-232.1CVE-2016-9921
MLIST
BID
qemu -- qemuQuick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS.2016-12-232.1CVE-2016-9923
MLIST
BID
s9y -- serendipityMultiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name.2016-12-253.5CVE-2016-9681
BID
MISC
MISC
vmware -- toolsVMware Tools 9.x and 10.x before 10.1.0 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors.2016-12-292.1CVE-2016-5328
BID
CONFIRM
vmware -- fusionVMware Fusion 8.x before 8.5 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors.2016-12-292.1CVE-2016-5329
BID
CONFIRM
vmware -- esxiCross-site scripting (XSS) vulnerability in the Host Client in VMware vSphere Hypervisor (aka ESXi) 5.5 and 6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted VM.2016-12-293.5CVE-2016-7463
BID
SECTRACK
CONFIRM

Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
libvncserver -- libvncclientHeap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.2016-12-31not yet calculatedCVE-2016-9941
CONFIRM
CONFIRM
libvncserver -- libvncclientHeap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.2016-12-31not yet calculatedCVE-2016-9942
CONFIRM
CONFIRM
linux -- linux_kernelThe sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.2016-12-30not yet calculatedCVE-2016-10088
CONFIRM
MLIST
CONFIRM
phpmailer -- phpmailerThe isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.2016-12-30not yet calculatedCVE-2016-10045
MLIST
MISC
FULLDISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
EXPLOIT-DB
phpmailer -- phpmailerThe mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address.2016-12-30not yet calculatedCVE-2016-10033
MISC
FULLDISC
BUGTRAQ
BID
CONFIRM
CONFIRM
CONFIRM
MISC
CONFIRM
EXPLOIT-DB
EXPLOIT-DB
qemu -- qemuQEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS.2016-12-29not yet calculatedCVE-2015-8817
CONFIRM
CONFIRM
MLIST
MLIST
CONFIRM
MLIST
sap_hybris -- hybris_management_consoleCross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field.2016-12-31not yet calculatedCVE-2016-6857
MISC
sap_hybris -- hybris_management_consoleCross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.2016-12-31not yet calculatedCVE-2016-6858
MISC
sap_hybris -- hybris_management_consoleCross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter.2016-12-31not yet calculatedCVE-2016-6856
MISC
sap_hybris -- hybris_management_consoleHybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace.2016-12-31not yet calculatedCVE-2016-6859
MISC
shutter -- shutterApp/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted remote attackers to execute arbitrary commands via a crafted image name that is mishandled during a "Show in Folder" action.2016-12-29not yet calculatedCVE-2015-0854
CONFIRM
swift_mailer -- swift_mailerThe mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.2016-12-30not yet calculatedCVE-2016-10074
MISC
FULLDISC
BID
CONFIRM
MISC
EXPLOIT-DB
zend -- zendThe setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.2016-12-30not yet calculatedCVE-2016-10034
BID
CONFIRM
MISC

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.