| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7647 | Hig | 0.57 | 8.8 | 0.03 | Apr 10, 2017 | SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows an authenticated user to execute arbitrary commands. | ||
| CVE-2016-8237 | Hig | 0.53 | 8.1 | 0.03 | Apr 10, 2017 | Remote code execution in Lenovo Updates (not Lenovo System Update) allows man-in-the-middle attackers to execute arbitrary code. | ||
| CVE-2016-8235 | Hig | 0.51 | 7.8 | 0.00 | Apr 10, 2017 | Privilege escalation in Lenovo Customer Care Software Development Kit (CCSDK) versions earlier than 2.0.16.3 allows local users to execute code with elevated privileges. | ||
| CVE-2016-10323 | Hig | 0.51 | 7.8 | 0.01 | Apr 10, 2017 | Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command. | ||
| CVE-2016-10322 | Hig | 0.57 | 8.8 | 0.02 | Apr 10, 2017 | Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php. | ||
| CVE-2017-7622 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2017 | dde-daemon, the daemon process of DDE (Deepin Desktop Environment) 15.0 through 15.3, runs with root privileges and hardly does anything to identify the user who calls the function through D-Bus. Anybody can change the grub config, even to append some arguments to make a… | ||
| CVE-2016-5041 | Hig | 0.49 | 7.5 | 0.03 | Apr 10, 2017 | dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a debugging information entry using DWARF5 and without a DW_AT_name. | ||
| CVE-2017-7185 | Hig | 0.53 | 7.5 | 0.12 | Apr 10, 2017 | Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data… | ||
| CVE-2017-5988 | Hig | 0.49 | 7.5 | 0.02 | Apr 10, 2017 | NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is enabled, allows remote attackers to cause a denial of service via unspecified vectors. | ||
| CVE-2016-6879 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | The X509_Certificate::allowed_usage function in botan 1.11.x before 1.11.31 might allow attackers to have unspecified impact by leveraging a call with more than one Key_Usage set in the enum value. | ||
| CVE-2015-7825 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | botan before 1.11.22 improperly validates certificate paths, which allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a certificate with a loop in the certificate chain. | ||
| CVE-2015-7824 | Hig | 0.49 | 7.5 | 0.02 | Apr 10, 2017 | botan 1.11.x before 1.11.22 makes it easier for remote attackers to decrypt TLS ciphertext data via a padding-oracle attack against TLS CBC ciphersuites. | ||
| CVE-2017-7619 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms. This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv. | ||
| CVE-2017-7618 | Hig | 0.49 | 7.5 | 0.04 | Apr 10, 2017 | crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue. | ||
| CVE-2017-7617 | Hig | 0.58 | 8.8 | 0.06 | Apr 10, 2017 | Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI… | ||
| CVE-2017-6190 | Hig | 0.53 | 7.5 | 0.16 | Apr 10, 2017 | Directory traversal vulnerability in the web interface on the D-Link DWR-116 device with firmware before V1.05b09 allows remote attackers to read arbitrary files via a .. (dot dot) in a "GET /uir/" request. | ||
| CVE-2016-6605 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to bypass Setry authorization. | ||
| CVE-2015-8378 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | In KeePassX before 0.4.4, a cleartext copy of password data is created upon a cancel of an XML export action. This allows context-dependent attackers to obtain sensitive information by reading the .xml dotfile. | ||
| CVE-2016-6534 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | Opmantek NMIS before 4.3.7c has command injection via man, finger, ping, trace, and nslookup in the tools.pl CGI script. Versions before 8.5.12G might be affected in non-default configurations. | ||
| CVE-2016-5076 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | CloudView NMS before 2.10a allows remote attackers to obtain sensitive information via a direct request for admin/auto.def. | ||
| CVE-2016-5072 | Hig | 0.57 | 8.8 | 0.02 | Apr 10, 2017 | OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition… | ||
| CVE-2016-5071 | Hig | 0.57 | 8.8 | 0.02 | Apr 10, 2017 | Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root. | ||
| CVE-2016-5067 | Hig | 0.57 | 8.8 | 0.04 | Apr 10, 2017 | Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection. | ||
| CVE-2016-5058 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 allows Zigbee replay. | ||
| CVE-2016-5057 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL pinning. | ||
| CVE-2016-5056 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK. | ||
| CVE-2016-5054 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 allows Zigbee replay. | ||
| CVE-2016-5052 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 does not use SSL pinning. | ||
| CVE-2016-5051 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 stores a PSK in cleartext under /private/var/mobile/Containers/Data/Application. | ||
| CVE-2016-4319 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2017 | Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. | ||
| CVE-2016-1516 | Hig | 0.50 | 8.8 | 0.02 | Apr 10, 2017 | OpenCV 3.0.0 has a double free issue that allows attackers to execute arbitrary code. | ||
| CVE-2015-8258 | Hig | 0.52 | 7.5 | 0.09 | Apr 10, 2017 | AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability." | ||
| CVE-2015-8255 | Hig | 0.60 | 8.8 | 0.02 | Apr 10, 2017 | AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi. | ||
| CVE-2015-7274 | Hig | 0.57 | 8.8 | 0.02 | Apr 10, 2017 | Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows remote attackers to execute arbitrary administrative HTTP commands. | ||
| CVE-2015-7270 | Hig | 0.51 | 7.8 | 0.01 | Apr 10, 2017 | Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows directory traversal. | ||
| CVE-2015-7265 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijacking attacks and bypass ACL checks. | ||
| CVE-2015-7263 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass ACL checks via a crafted host value. | ||
| CVE-2015-7260 | Hig | 0.51 | 7.8 | 0.00 | Apr 10, 2017 | Liebert MultiLink Automated Shutdown v4.2.4 allows local users to gain privileges by replacing the LiebertM executable file. | ||
| CVE-2015-6028 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2017 | Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter. | ||
| CVE-2015-2889 | Hig | 0.57 | 8.8 | 0.02 | Apr 10, 2017 | Summer Baby Zoom Wifi Monitor & Internet Viewing System allows remote attackers to gain privileges via manual entry of a Settings URL. | ||
| CVE-2015-2886 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | iBaby M6 allows remote attackers to obtain sensitive information, related to the ibabycloud.com service. | ||
| CVE-2015-2884 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | Philips In.Sight B120/37 allows remote attackers to obtain sensitive information via a direct request, related to yoics.net URLs, stream.m3u8 URIs, and cam_service_enable.cgi. | ||
| CVE-2015-2880 | Hig | 0.57 | 8.8 | 0.01 | Apr 10, 2017 | TRENDnet WiFi Baby Cam TV-IP743SIC has a password of admin for the backdoor root account. | ||
| CVE-2014-2960 | Hig | 0.49 | 7.5 | 0.01 | Apr 10, 2017 | Vision Critical before 2014-05-30 allows attackers to read arbitrary files via unspecified vectors, as demonstrated by image files and configuration files. | ||
| CVE-2017-7605 | Hig | 0.51 | 7.8 | 0.02 | Apr 9, 2017 | aacplusenc.c in HE-AAC+ Codec (aka libaacplus) 2.0.2 has an assertion failure, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. | ||
| CVE-2017-7604 | Hig | 0.51 | 7.8 | 0.01 | Apr 9, 2017 | au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. | ||
| CVE-2017-7603 | Hig | 0.51 | 7.8 | 0.01 | Apr 9, 2017 | au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. | ||
| CVE-2017-7602 | Hig | 0.51 | 7.8 | 0.03 | Apr 9, 2017 | LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. | ||
| CVE-2017-7601 | Hig | 0.51 | 7.8 | 0.02 | Apr 9, 2017 | LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. | ||
| CVE-2017-7600 | Hig | 0.51 | 7.8 | 0.01 | Apr 9, 2017 | LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. |
- risk 0.57cvss 8.8epss 0.03
SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows an authenticated user to execute arbitrary commands.
- risk 0.53cvss 8.1epss 0.03
Remote code execution in Lenovo Updates (not Lenovo System Update) allows man-in-the-middle attackers to execute arbitrary code.
- risk 0.51cvss 7.8epss 0.00
Privilege escalation in Lenovo Customer Care Software Development Kit (CCSDK) versions earlier than 2.0.16.3 allows local users to execute code with elevated privileges.
- risk 0.51cvss 7.8epss 0.01
Synology Photo Station before 6.3-2958 allows local users to gain privileges by leveraging setuid execution of a "synophoto_dsm_user --copy-no-ea" command.
- risk 0.57cvss 8.8epss 0.02
Synology Photo Station before 6.3-2958 allows remote authenticated guest users to execute arbitrary commands via shell metacharacters in the X-Forwarded-For HTTP header to photo/login.php.
- risk 0.57cvss 8.8epss 0.01
dde-daemon, the daemon process of DDE (Deepin Desktop Environment) 15.0 through 15.3, runs with root privileges and hardly does anything to identify the user who calls the function through D-Bus. Anybody can change the grub config, even to append some arguments to make a…
- risk 0.49cvss 7.5epss 0.03
dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a debugging information entry using DWARF5 and without a DW_AT_name.
- risk 0.53cvss 7.5epss 0.12
Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data…
- risk 0.49cvss 7.5epss 0.02
NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is enabled, allows remote attackers to cause a denial of service via unspecified vectors.
- risk 0.49cvss 7.5epss 0.01
The X509_Certificate::allowed_usage function in botan 1.11.x before 1.11.31 might allow attackers to have unspecified impact by leveraging a call with more than one Key_Usage set in the enum value.
- risk 0.49cvss 7.5epss 0.01
botan before 1.11.22 improperly validates certificate paths, which allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a certificate with a loop in the certificate chain.
- risk 0.49cvss 7.5epss 0.02
botan 1.11.x before 1.11.22 makes it easier for remote attackers to decrypt TLS ciphertext data via a padding-oracle attack against TLS CBC ciphersuites.
- risk 0.49cvss 7.5epss 0.01
In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms. This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.
- risk 0.49cvss 7.5epss 0.04
crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.
- risk 0.58cvss 8.8epss 0.06
Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI…
- risk 0.53cvss 7.5epss 0.16
Directory traversal vulnerability in the web interface on the D-Link DWR-116 device with firmware before V1.05b09 allows remote attackers to read arbitrary files via a .. (dot dot) in a "GET /uir/" request.
- risk 0.49cvss 7.5epss 0.01
Impala in CDH 5.2.0 through 5.7.2 and 5.8.0 allows remote attackers to bypass Setry authorization.
- risk 0.49cvss 7.5epss 0.01
In KeePassX before 0.4.4, a cleartext copy of password data is created upon a cancel of an XML export action. This allows context-dependent attackers to obtain sensitive information by reading the .xml dotfile.
- risk 0.49cvss 7.5epss 0.01
Opmantek NMIS before 4.3.7c has command injection via man, finger, ping, trace, and nslookup in the tools.pl CGI script. Versions before 8.5.12G might be affected in non-default configurations.
- risk 0.49cvss 7.5epss 0.01
CloudView NMS before 2.10a allows remote attackers to obtain sensitive information via a direct request for admin/auto.def.
- risk 0.57cvss 8.8epss 0.02
OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition…
- risk 0.57cvss 8.8epss 0.02
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root.
- risk 0.57cvss 8.8epss 0.04
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection.
- risk 0.49cvss 7.5epss 0.01
OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 allows Zigbee replay.
- risk 0.49cvss 7.5epss 0.01
OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL pinning.
- risk 0.49cvss 7.5epss 0.01
OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.
- risk 0.49cvss 7.5epss 0.01
OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 allows Zigbee replay.
- risk 0.49cvss 7.5epss 0.01
OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 does not use SSL pinning.
- risk 0.49cvss 7.5epss 0.01
OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 stores a PSK in cleartext under /private/var/mobile/Containers/Data/Application.
- risk 0.57cvss 8.8epss 0.01
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
- risk 0.50cvss 8.8epss 0.02
OpenCV 3.0.0 has a double free issue that allows attackers to execute arbitrary code.
- risk 0.52cvss 7.5epss 0.09
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
- risk 0.60cvss 8.8epss 0.02
AXIS Communications products allow CSRF, as demonstrated by admin/pwdgrp.cgi, vaconfig.cgi, and admin/local_del.cgi.
- risk 0.57cvss 8.8epss 0.02
Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows remote attackers to execute arbitrary administrative HTTP commands.
- risk 0.51cvss 7.8epss 0.01
Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows directory traversal.
- risk 0.49cvss 7.5epss 0.01
Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijacking attacks and bypass ACL checks.
- risk 0.49cvss 7.5epss 0.01
The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass ACL checks via a crafted host value.
- risk 0.51cvss 7.8epss 0.00
Liebert MultiLink Automated Shutdown v4.2.4 allows local users to gain privileges by replacing the LiebertM executable file.
- risk 0.57cvss 8.8epss 0.01
Castle Rock Computing SNMPc before 2015-12-17 has SQL injection via the sc parameter.
- risk 0.57cvss 8.8epss 0.02
Summer Baby Zoom Wifi Monitor & Internet Viewing System allows remote attackers to gain privileges via manual entry of a Settings URL.
- risk 0.49cvss 7.5epss 0.01
iBaby M6 allows remote attackers to obtain sensitive information, related to the ibabycloud.com service.
- risk 0.49cvss 7.5epss 0.01
Philips In.Sight B120/37 allows remote attackers to obtain sensitive information via a direct request, related to yoics.net URLs, stream.m3u8 URIs, and cam_service_enable.cgi.
- risk 0.57cvss 8.8epss 0.01
TRENDnet WiFi Baby Cam TV-IP743SIC has a password of admin for the backdoor root account.
- risk 0.49cvss 7.5epss 0.01
Vision Critical before 2014-05-30 allows attackers to read arbitrary files via unspecified vectors, as demonstrated by image files and configuration files.
- risk 0.51cvss 7.8epss 0.02
aacplusenc.c in HE-AAC+ Codec (aka libaacplus) 2.0.2 has an assertion failure, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file.
- risk 0.51cvss 7.8epss 0.01
au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file.
- risk 0.51cvss 7.8epss 0.01
au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file.
- risk 0.51cvss 7.8epss 0.03
LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
- risk 0.51cvss 7.8epss 0.02
LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
- risk 0.51cvss 7.8epss 0.01
LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.