Vulnerability Summary for the Week of January 2, 2017
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
arista -- dcs-7050t_eos_software | Arista EOS 4.15 before 4.15.8M, 4.16 before 4.16.7M, and 4.17 before 4.17.0F on DCS-7050 series devices allow remote attackers to cause a denial of service (device reboot) by sending crafted packets to the control plane. | 2017-01-04 | 7.8 | CVE-2016-6894 BID CONFIRM |
awebsupport -- aweb_cart_watching_system_for_virtuemart | SQL injection vulnerability in the "aWeb Cart Watching System for Virtuemart" extension before 2.6.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via vectors involving categorysearch and smartSearch. | 2017-01-03 | 7.5 | CVE-2016-10114 BID MISC |
genexia -- drgos | The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter. | 2017-01-05 | 9.0 | CVE-2015-3441 MISC |
genixcms_project -- genixcms | SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the activation parameter. | 2017-01-01 | 7.5 | CVE-2016-10096 MISC BID MISC MISC |
icu_project -- international_components_for_unicode | Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call. | 2017-01-04 | 7.5 | CVE-2014-9911 CONFIRM MLIST BID CONFIRM CONFIRM |
libgd -- libgd | Integer signedness error in the dynamicGetbuf function in gd_io_dp.c in the GD Graphics Library (aka libgd) through 2.2.3, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted imagecreatefromstring call. | 2017-01-04 | 7.5 | CVE-2016-8670 MLIST CONFIRM CONFIRM BID CONFIRM CONFIRM |
libvncserver_project -- libvncserver | Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area. | 2016-12-31 | 7.5 | CVE-2016-9941 BID CONFIRM CONFIRM |
libvncserver_project -- libvncserver | Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions. | 2016-12-31 | 7.5 | CVE-2016-9942 BID CONFIRM CONFIRM |
linux -- linux_kernel | The ring_buffer_resize function in kernel/trace/ring_buffer.c in the profiling subsystem in the Linux kernel before 4.6.1 mishandles certain integer calculations, which allows local users to gain privileges by writing to the /sys/kernel/debug/tracing/buffer_size_kb file. | 2017-01-05 | 7.2 | CVE-2016-9754 CONFIRM CONFIRM BID CONFIRM CONFIRM |
matrixssl -- matrixssl | Heap-based buffer overflow in MatrixSSL before 3.8.6 allows remote attackers to execute arbitrary code via a crafted Subject Alt Name in an X.509 certificate. | 2017-01-05 | 10.0 | CVE-2016-6890 BID MISC CONFIRM CERT-VN |
netgear -- arlo_base_station_firmware | NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier have a default password of 12345678, which makes it easier for remote attackers to obtain access after a factory reset or in a factory configuration. | 2017-01-04 | 10.0 | CVE-2016-10115 MISC MISC BID |
netgear -- arlo_base_station_firmware | NETGEAR Arlo base stations with firmware 1.7.5_6178 and earlier, Arlo Q devices with firmware 1.8.0_5551 and earlier, and Arlo Q Plus devices with firmware 1.8.1_6094 and earlier use a pattern of adjective, noun, and three-digit number for the customized password, which makes it easier for remote attackers to obtain access via a dictionary attack. | 2017-01-04 | 9.3 | CVE-2016-10116 MISC MISC BID |
openbsd -- openssh | Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. | 2017-01-04 | 7.5 | CVE-2016-10009 MISC MLIST BID SECTRACK CONFIRM MISC CONFIRM EXPLOIT-DB CONFIRM |
openbsd -- openssh | The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures. | 2017-01-04 | 7.2 | CVE-2016-10012 MLIST BID SECTRACK CONFIRM CONFIRM CONFIRM |
php -- php | The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument. | 2017-01-04 | 7.5 | CVE-2014-9912 MLIST CONFIRM BID CONFIRM CONFIRM |
php -- php | Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. | 2017-01-04 | 7.5 | CVE-2016-9137 CONFIRM MLIST CONFIRM CONFIRM BID CONFIRM |
php -- php | PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup. | 2017-01-04 | 7.5 | CVE-2016-9138 MLIST BID CONFIRM |
php -- php | The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. | 2017-01-04 | 7.5 | CVE-2016-9935 SUSE DEBIAN MLIST CONFIRM CONFIRM BID CONFIRM CONFIRM |
php -- php | The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834. | 2017-01-04 | 7.5 | CVE-2016-9936 MLIST CONFIRM BID CONFIRM CONFIRM |
piwigo -- piwigo | admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence. | 2017-01-03 | 7.5 | CVE-2016-10105 BID CONFIRM CONFIRM CONFIRM |
quick_heal -- internet_security | Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to execute arbitrary code via a crafted LC_UNIXTHREAD.cmdsize field in a Mach-O file that is mishandled during a Security Scan (aka Custom Scan) operation. | 2017-01-02 | 7.5 | CVE-2017-5005 BID MISC MISC |
s9y -- serendipity | include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file. | 2016-12-30 | 7.5 | CVE-2016-10082 BID CONFIRM CONFIRM |
schedmd -- slurm | The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 ("success") and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue. | 2017-01-05 | 7.6 | CVE-2016-10030 CONFIRM CONFIRM |
swiftmailer -- swiftmailer | The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header. | 2016-12-30 | 7.5 | CVE-2016-10074 MISC FULLDISC BID CONFIRM MISC EXPLOIT-DB |
veritas -- netbackup_appliance_firmware | scripts/license.pl in Veritas NetBackup Appliance 2.6.0.x through 2.6.0.4, 2.6.1.x through 2.6.1.2, 2.7.x through 2.7.3, and 3.0.x allow remote attackers to execute arbitrary commands via shell metacharacters in the hostName parameter to appliancews/getLicense. | 2017-01-04 | 10.0 | CVE-2016-7399 MISC BID CONFIRM CONFIRM |
western_digital -- mycloud_nas | Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 index.php page via a modified Cookie header. | 2017-01-03 | 10.0 | CVE-2016-10107 BID MISC |
western_digital -- mycloud_nas | Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data. | 2017-01-03 | 10.0 | CVE-2016-10108 BID MISC |
zend -- zend-mail | The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. | 2016-12-30 | 7.5 | CVE-2016-10034 BID CONFIRM MISC |
Medium Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
borg -- borg | Borg (aka BorgBackup) before 1.0.9 has a flaw in the cryptographic protocol used to authenticate the manifest (list of archives), potentially allowing an attacker to spoof the list of archives. | 2017-01-02 | 5.0 | CVE-2016-10099 CONFIRM BID |
borg -- borg | Borg (aka BorgBackup) before 1.0.9 has a flaw in the way duplicate archive names were processed during manifest recovery, potentially allowing an attacker to overwrite an archive. | 2017-01-02 | 5.0 | CVE-2016-10100 CONFIRM BID |
dotclear -- dotclear | Unrestricted file upload vulnerability in the fileUnzip->unzip method in Dotclear before 2.10.3 allows remote authenticated users with permissions to manage media items to execute arbitrary code by uploading a ZIP file containing a file with a crafted extension, as demonstrated by .php.txt or .php%20. | 2017-01-04 | 6.5 | CVE-2016-7902 MLIST BID CONFIRM CONFIRM |
dotclear -- dotclear | Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header. | 2017-01-04 | 4.3 | CVE-2016-7903 MLIST BID CONFIRM CONFIRM |
f5 -- big-ip_advanced_firewall_manager | Virtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and 12.1.x before 12.1.2, when configured to parse RADIUS messages via an iRule, allow remote attackers to cause a denial of service (Traffic Management Microkernel restart) via crafted network traffic. | 2017-01-03 | 4.3 | CVE-2016-5024 BID SECTRACK CONFIRM |
forgerock -- openam | XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter. | 2017-01-02 | 5.0 | CVE-2016-10097 MISC BID |
hybris -- hybris | Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. | 2016-12-31 | 4.3 | CVE-2016-6856 BID MISC |
libgd -- libgd | Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. | 2017-01-04 | 5.0 | CVE-2016-9933 SUSE SUSE SUSE MLIST CONFIRM CONFIRM BID CONFIRM CONFIRM CONFIRM CONFIRM |
linux -- linux_kernel | The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576. | 2016-12-30 | 6.9 | CVE-2016-10088 CONFIRM MLIST BID SECTRACK CONFIRM |
matrixssl -- matrixssl | MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ASN.1 Bit Field primitive in an X.509 certificate. | 2017-01-05 | 5.0 | CVE-2016-6891 BID MISC CONFIRM CERT-VN |
matrixssl -- matrixssl | The x509FreeExtensions function in MatrixSSL before 3.8.6 allows remote attackers to cause a denial of service (free of unallocated memory) via a crafted X.509 certificate. | 2017-01-05 | 5.0 | CVE-2016-6892 BID MISC CONFIRM CERT-VN |
netgear -- srx5308_firmware | Directory traversal vulnerability in scgi-bin/platform.cgi on NETGEAR FVS336Gv3, FVS318N, FVS318Gv2, and SRX5308 devices with firmware before 4.3.3-8 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the thispage parameter, as demonstrated by reading the /etc/shadow file. | 2017-01-03 | 4.0 | CVE-2016-10106 CONFIRM BID |
openbsd -- openssh | sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c. | 2017-01-04 | 6.9 | CVE-2016-10010 MISC MLIST BID SECTRACK CONFIRM MISC CONFIRM EXPLOIT-DB CONFIRM |
php -- php | ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. | 2017-01-04 | 5.0 | CVE-2016-9934 SUSE MLIST CONFIRM CONFIRM BID CONFIRM CONFIRM |
phpmailer_project -- phpmailer | The mailSend function in the isMail transport in PHPMailer before 5.2.18, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted From address. | 2016-12-30 | 6.8 | CVE-2016-10033 MISC MISC FULLDISC MISC BUGTRAQ BID CONFIRM CONFIRM CONFIRM MISC CONFIRM EXPLOIT-DB EXPLOIT-DB |
phpmailer_project -- phpmailer | The isMail transport in PHPMailer before 5.2.20, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. | 2016-12-30 | 6.8 | CVE-2016-10045 MLIST MISC MISC FULLDISC MISC BUGTRAQ BID CONFIRM CONFIRM CONFIRM MISC EXPLOIT-DB |
piwigo -- piwigo | Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case. | 2016-12-30 | 4.3 | CVE-2016-10083 BID CONFIRM CONFIRM |
piwigo -- piwigo | admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter). | 2016-12-30 | 6.5 | CVE-2016-10084 BID CONFIRM CONFIRM |
piwigo -- piwigo | admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter. | 2016-12-30 | 6.5 | CVE-2016-10085 BID CONFIRM CONFIRM |
sap -- hybris | Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. | 2016-12-31 | 4.0 | CVE-2016-6859 BID MISC |
torproject -- tor | Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data. | 2017-01-04 | 5.0 | CVE-2016-8860 MLIST BID CONFIRM CONFIRM CONFIRM |
wordpress -- wordpress | Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | 2017-01-04 | 4.3 | CVE-2016-7168 MLIST MLIST BID CONFIRM CONFIRM MISC CONFIRM |
wordpress -- wordpress | Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | 2017-01-04 | 6.5 | CVE-2016-7169 BID CONFIRM CONFIRM CONFIRM |
Low Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
mcafee -- security_information_and_event_management | Authentication bypass vulnerability in Enterprise Security Manager (ESM) and License Manager (LM) in Intel Security McAfee Security Information and Event Management (SIEM) 9.6.0 MR3 allows an administrator to make changes to other SIEM users' information including user passwords without supplying the current administrator password a second time via the GUI or GUI terminal commands. | 2017-01-05 | 1.7 | CVE-2016-8006 CONFIRM |
openbsd -- openssh | authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process. | 2017-01-04 | 2.1 | CVE-2016-10011 MLIST BID SECTRACK CONFIRM CONFIRM CONFIRM |
sap -- hybris | Cross-site scripting (XSS) vulnerability in the Create Catalogue feature in Hybris Management Console (HMC) in SAP Hybris before 5.2.0.13, 5.3.x before 5.3.0.11, 5.4.x before 5.4.0.11, 5.5.0.x before 5.5.0.10, 5.5.1.x before 5.5.1.11, 5.6.x before 5.6.0.11, and 5.7.x before 5.7.0.15 allows remote authenticated users to inject arbitrary web script or HTML via the ID field. | 2016-12-31 | 3.5 | CVE-2016-6857 BID MISC |
sap -- hybris | Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field. | 2016-12-31 | 3.5 | CVE-2016-6858 BID MISC |
tenable -- nessus | Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2017-01-05 | 3.5 | CVE-2017-5179 CONFIRM |
woocommerce -- woocommerce | Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | 2017-01-03 | 3.5 | CVE-2016-10112 BID CONFIRM |
Severity Not Yet Assigned
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
bluestacks -- app_player | A local privilege escalation vulnerability exists in BlueStacks App Player. The BlueStacks App Player installer creates a registry key with weak permissions that allows users to execute arbitrary programs with SYSTEM privileges. | 2017-01-06 | not yet calculated | CVE-2016-4288 MISC |
emc -- scaleio | An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may be able to modify the kernel memory in the SCINI driver and may achieve code execution to escalate privileges to root on ScaleIO Data Client (SDC) servers. | 2017-01-06 | not yet calculated | CVE-2016-9867 CONFIRM |
emc -- scaleio | An issue was discovered in EMC ScaleIO versions before 2.0.1.1. A low-privileged local attacker may cause a denial-of-service by generating a kernel panic in the SCINI driver using IOCTL calls which may render the ScaleIO Data Client (SDC) server unavailable until the next reboot. | 2017-01-06 | not yet calculated | CVE-2016-9868 CONFIRM |
emc -- scaleio | An issue was discovered in EMC ScaleIO versions before 2.0.1.1. Incorrect permissions on the SCINI driver may allow a low-privileged local attacker to modify the configuration and render the ScaleIO Data Client (SDC) server unavailable. | 2017-01-06 | not yet calculated | CVE-2016-9869 CONFIRM |
foxit -- pdf_reader | A large out-of-bounds read on the heap vulnerability in Foxit PDF Reader can potentially be abused for information disclosure. Combined with another vulnerability, it can be used to leak heap memory layout and in bypassing ASLR. | 2017-01-06 | not yet calculated | CVE-2016-8334 MISC |
freeimage_project -- freeimage_library | An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-5684 MISC |
hancom -- hancom_office | When opening a Hangul Hcell Document (.cell) and processing a particular record within the Workbook stream, an index miscalculation leading to a heap overlow can be made to occur in Hancom Office 2014. The vulnerability occurs when processing data for a formula used to render a chart via the HncChartPlugin.hplg library. Due to a lack of bounds-checking when incrementing an index that is used for writing into a buffer for formulae, the application can be made to write pointer data outside its bounds which can lead to code execution under the context of the application. | 2017-01-06 | not yet calculated | CVE-2016-4295 MISC |
hancom -- hancom_office | When opening a Hangul Hcell Document (.cell) and processing a property record within the Workbook stream, Hancom Office 2014 will attempt to allocate space for an element using a length from the file. When copying user-supplied data to this buffer, however, the application will use a different size which leads to a heap-based buffer overflow. This vulnerability can lead to code-execution under the context of the application. | 2017-01-06 | not yet calculated | CVE-2016-4294 MISC |
hancom -- hancom_office | When opening a Hangul Hcell Document (.cell) and processing a record that uses the CSSValFormat object, Hancom Office 2014 will search for an underscore ("_") character at the end of the string and write a null terminator after it. If the character is at the very end of the string, the application will mistakenly write the null-byte outside the bounds of its destination. This can result in heap corruption that can lead code execution under the context of the application | 2017-01-06 | not yet calculated | CVE-2016-4296 MISC |
hancom -- hancom_office | When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will attempt to allocate space for a block of data within the file. When calculating this length, the application will use a value from the file and add a constant to it without checking whether the addition of the constant will cause the integer to overflow which will cause the buffer to be undersized when the application tries to copy file data into it. This allows one to overwrite contiguous data in the heap which can lead to code-execution under the context of the application. | 2017-01-06 | not yet calculated | CVE-2016-4290 MISC |
hancom -- hancom_office | When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will attempt to allocate space for a list of elements using a length from the file. When calculating this length, an integer overflow can be made to occur which will cause the buffer to be undersized when the application tries to copy file data into the object containing this structure. This allows one to overwrite contiguous data in the heap which can lead to code-execution under the context of the application. | 2017-01-06 | not yet calculated | CVE-2016-4298 MISC |
hancom -- hancom_office | When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will use a field from the structure in an operation that can cause the integer to overflow. This result is then used to allocate memory to copy file data in. Due to the lack of bounds checking on the integer, the allocated memory buffer can be made to be undersized at which point the reading of file data will write outside the bounds of the buffer. This can lead to code execution under the context of the application. | 2017-01-06 | not yet calculated | CVE-2016-4291 MISC |
hancom -- hancom_office | When opening a Hangul HShow Document (.hpt) and processing a structure within the document, Hancom Office 2014 will use a static size to allocate a heap buffer yet explicitly trust a size from the file when modifying data inside of it. Due to this, an aggressor can corrupt memory outside the bounds of this buffer which can lead to code execution under the context of the application. | 2017-01-06 | not yet calculated | CVE-2016-4292 MISC |
kaspersky -- anti-virus_software | A local denial of service vulnerability exists in window broadcast message handling functionality of Kaspersky Anti-Virus software. Sending certain unhandled window messages, an attacker can cause application termination and in the same way bypass KAV self-protection mechanism. | 2017-01-06 | not yet calculated | CVE-2016-4329 MISC |
kaspersky -- internet_security_kl1 | A denial of service vulnerability exists in the IOCTL handling functionality of Kaspersky Internet Security KL1 driver. A specially crafted IOCTL signal can cause an access violation in KL1 kernel driver resulting in local system denial of service. An attacker can run a program from user-mode to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-4307 MISC |
kaspersky -- internet_security_kldisk | Multiple information leaks exist in various IOCTL handlers of the Kaspersky Internet Security KLDISK driver. Specially crafted IOCTL requests can cause the driver to return out-of-bounds kernel memory, potentially leaking sensitive information such as privileged tokens or kernel memory addresses that may be useful in bypassing kernel mitigations. An unprivileged user can run a program from user-mode to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-4306 MISC |
kaspersky -- internet_security_klif | A denial of service vulnerability exists in the syscall filtering functionality of Kaspersky Internet Security KLIF driver. A specially crafted native api call can cause a access violation in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-4305 MISC |
kaspersky -- internet_security_klif | A denial of service vulnerability exists in the syscall filtering functionality of the Kaspersky Internet Security KLIF driver. A specially crafted native api call request can cause a access violation exception in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-4304 MISC |
lexmark -- perceptive_document_filters | An exploitable heap overflow vulnerability exists in the Compound Binary File Format (CBFF) parser functionality of Lexmark Perceptive Document Filters library. A specially crafted CBFF file can cause a code execution. An attacker can send a malformed file to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-5646 MISC |
lexmark -- perspective_document_filters | An exploitable buffer overflow exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a stack based buffer overflow resulting in remote code execution. | 2017-01-06 | not yet calculated | CVE-2016-4335 MISC |
lexmark -- perspective_document_filters | An exploitable out-of-bounds write exists in the Bzip2 parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted Bzip2 document can lead to a stack-based buffer overflow causing an out-of-bounds write which under the right circumstance could potentially be leveraged by an attacker to gain arbitrary code execution. | 2017-01-06 | not yet calculated | CVE-2016-4336 MISC |
libebml -- libebml | A specially crafted unicode string in libebml master branch can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potentially be used for information leaks. | 2017-01-06 | not yet calculated | CVE-2016-1514 MISC |
libebml -- libebml | A use-after-free / double-free vulnerability can occur in libebml master branch while parsing Track elements of the MKV container. | 2017-01-06 | not yet calculated | CVE-2016-1515 MISC |
libtiff -- tiff2pdf | An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means. | 2017-01-06 | not yet calculated | CVE-2016-5652 MISC |
memcached -- memcached | An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. | 2017-01-06 | not yet calculated | CVE-2016-8706 MISC |
memcached -- memcached | An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. | 2017-01-06 | not yet calculated | CVE-2016-8704 MISC |
memcached -- memcached | Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution. | 2017-01-06 | not yet calculated | CVE-2016-8705 MISC |
ntd -- ntp_daemon | A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. | 2017-01-06 | not yet calculated | CVE-2016-1549 MISC |
ntp -- libntp | An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. | 2017-01-06 | not yet calculated | CVE-2016-1550 MISC |
ntp -- ntp | An off-path attacker can cause a preemptable client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. | 2017-01-06 | not yet calculated | CVE-2016-1547 MISC |
ntp -- ntp_daemon | An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. | 2017-01-06 | not yet calculated | CVE-2016-1548 MISC |
ntp -- ntp_daemon | An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash. | 2017-01-06 | not yet calculated | CVE-2015-7848 MISC |
pidgin -- mxit | A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out-of-bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering the vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-2377 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A buffer overflow vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size for a packet which will trigger a buffer overflow. | 2017-01-06 | not yet calculated | CVE-2016-2376 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negative length values to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-2378 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle attacker can send invalid data to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-2370 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. | 2017-01-06 | not yet calculated | CVE-2016-2365 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. | 2017-01-06 | not yet calculated | CVE-2016-2366 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-2373 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splash image triggering the vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-4323 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | A NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the vulnerability. | 2017-01-06 | not yet calculated | CVE-2016-2369 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution. | 2017-01-06 | not yet calculated | CVE-2016-2374 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | An exploitable out-of-bounds read exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure. | 2017-01-06 | not yet calculated | CVE-2016-2375 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out-of-bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead to a potential out-of-bounds read. | 2017-01-06 | not yet calculated | CVE-2016-2380 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle attacker can send an invalid size for a file transfer which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the file is sent to another user. | 2017-01-06 | not yet calculated | CVE-2016-2372 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user. | 2017-01-06 | not yet calculated | CVE-2016-2367 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution. | 2017-01-06 | not yet calculated | CVE-2016-2371 DEBIAN CONFIRM MISC UBUNTU |
pidgin -- mxit | Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure. | 2017-01-06 | not yet calculated | CVE-2016-2368 DEBIAN CONFIRM MISC UBUNTU |
pivotal -- gemfire | An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster. | 2017-01-06 | not yet calculated | CVE-2016-9885 CONFIRM |
pivotal -- spring_security | An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected. | 2017-01-06 | not yet calculated | CVE-2016-9879 CONFIRM |
ruby -- fiddle_fuction | An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow. | 2017-01-06 | not yet calculated | CVE-2016-2339 MISC |
ruby -- tcltklp | Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. | 2017-01-06 | not yet calculated | CVE-2016-2337 MISC |
ruby -- win32ole | Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution. | 2017-01-06 | not yet calculated | CVE-2016-2336 MISC |
trane -- comfortlink_scc_firmware | A design flaw in the Trane ComfortLink II SCC firmware version 2.0.2 service allows remote attackers to take complete control of the system. | 2017-01-06 | not yet calculated | CVE-2015-2867 MISC |
trane -- N/Acomfortlink_firmware | An exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long REG request that can overflow a fixed size stack buffer, resulting in arbitrary code execution. | 2017-01-06 | not yet calculated | CVE-2015-2868 MISC |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.