| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-7272 | Cri | 0.64 | 9.8 | 0.03 | Apr 10, 2017 | Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input. | ||
| CVE-2015-7271 | Cri | 0.64 | 9.8 | 0.03 | Apr 10, 2017 | Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo. | ||
| CVE-2015-7264 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2017 | The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a certain field to two bytes, which allows hijacking and injection attacks. | ||
| CVE-2015-2888 | Cri | 0.64 | 9.8 | 0.02 | Apr 10, 2017 | Summer Baby Zoom Wifi Monitor & Internet Viewing System allows remote attackers to bypass authentication, related to the MySnapCam web service. | ||
| CVE-2015-2887 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2017 | iBaby M3S has a password of admin for the backdoor admin account. | ||
| CVE-2015-2885 | Cri | 0.64 | 9.8 | 0.01 | Apr 10, 2017 | Lens Peek-a-View has a password of 2601hx for the backdoor admin account, a password of user for the backdoor user account, and a password of guest for the backdoor guest account. | ||
| CVE-2015-2882 | Cri | 0.64 | 9.8 | 0.02 | Apr 10, 2017 | Philips In.Sight B120/37 has a password of b120root for the backdoor root account, a password of /ADMIN/ for the backdoor admin account, a password of merlin for the backdoor mg3500 account, a password of M100-4674448 for the backdoor user account, and a password of M100-4674448… | ||
| CVE-2015-2881 | Cri | 0.64 | 9.8 | 0.02 | Apr 10, 2017 | Gynoii has a password of guest for the backdoor guest account and a password of 12345 for the backdoor admin account. | ||
| CVE-2017-7614 | Cri | 0.64 | 9.8 | 0.04 | Apr 9, 2017 | elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have… | ||
| CVE-2017-0561 | Cri | 0.69 | 9.8 | 0.30 | Apr 7, 2017 | A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC.… | ||
| CVE-2007-6760 | Cri | 0.64 | 9.8 | 0.02 | Apr 7, 2017 | Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie. | ||
| CVE-2007-6759 | Cri | 0.64 | 9.8 | 0.02 | Apr 7, 2017 | Dataprobe iBootBar (with 2007-09-20 and possibly later released firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCRABBIT cookie. | ||
| CVE-2017-7581 | Cri | 0.71 | 9.8 | 0.48 | Apr 7, 2017 | SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed. | ||
| CVE-2017-7577 | Cri | 0.66 | 9.8 | 0.29 | Apr 7, 2017 | XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request. | ||
| CVE-2017-7576 | Cri | 0.64 | 9.8 | 0.01 | Apr 6, 2017 | DragonWave Horizon 1.01.03 wireless radios have hardcoded login credentials (such as the username of energetic and password of wireless) meant to allow the vendor to access the devices. These credentials can be used in the web interface or by connecting to the device via TELNET.… | ||
| CVE-2017-7575 | Cri | 0.64 | 9.8 | 0.04 | Apr 6, 2017 | Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded,… | ||
| CVE-2017-7574 | Cri | 0.64 | 9.8 | 0.01 | Apr 6, 2017 | Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a… | ||
| CVE-2016-8735 | Cri | 0.76 | 9.8 | 0.90 | KEV | Apr 6, 2017 | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated… | |
| CVE-2016-6809 | Cri | 0.57 | 9.8 | 0.08 | Apr 6, 2017 | Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | ||
| CVE-2015-8965 | Cri | 0.64 | 9.8 | 0.03 | Apr 6, 2017 | Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in… | ||
| CVE-2017-3834 | Cri | 0.64 | 9.8 | 0.04 | Apr 6, 2017 | A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device. The vulnerability is due to the existence of default… | ||
| CVE-2017-7237 | Cri | 0.67 | 9.8 | 0.07 | Apr 6, 2017 | The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a… | ||
| CVE-2017-0305 | Cri | 0.64 | 9.8 | 0.04 | Apr 6, 2017 | F5 SSL Intercept iApp version 1.5.0 - 1.5.7 is vulnerable to an unauthenticated, remote attack that may allow modification of the BIG-IP system configuration, extraction of sensitive system files, and possible remote command execution on the system when deployed using the… | ||
| CVE-2017-7450 | Cri | 0.64 | 9.8 | 0.01 | Apr 5, 2017 | AIRTAME HDMI dongle with firmware before 2.2.0 allows unauthenticated access to a big part of the management interface. It is possible to extract all information including the Wi-Fi password, reboot, or force a software update at an arbitrary time. | ||
| CVE-2016-10229 | Cri | 0.58 | 9.8 | 0.13 | Apr 4, 2017 | udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. | ||
| CVE-2017-7410 | Cri | 0.64 | 9.8 | 0.03 | Apr 3, 2017 | Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter. | ||
| CVE-2017-7402 | Cri | 0.67 | 9.8 | 0.05 | Apr 3, 2017 | Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg. | ||
| CVE-2017-5642 | Cri | 0.64 | 9.8 | 0.02 | Apr 3, 2017 | During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs. | ||
| CVE-2014-3928 | Cri | 0.64 | 9.8 | 0.02 | Apr 3, 2017 | Cougar-LG stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials. | ||
| CVE-2014-3927 | Cri | 0.64 | 9.8 | 0.04 | Apr 3, 2017 | mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execute arbitrary shell code. | ||
| CVE-2017-5949 | Cri | 0.64 | 9.8 | 0.02 | Apr 3, 2017 | JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 22, allows remote attackers to cause a denial of service (heap-based out-of-bounds write and application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers… | ||
| CVE-2016-10312 | Cri | 0.64 | 9.8 | 0.03 | Apr 3, 2017 | Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary commands via shell metacharacters to certain /goform/* pages. | ||
| CVE-2014-9693 | Cri | 0.64 | 9.8 | 0.01 | Apr 2, 2017 | Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2… | ||
| CVE-2017-2477 | Cri | 0.64 | 9.8 | 0.01 | Apr 2, 2017 | An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "libxslt" component. It allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | ||
| CVE-2017-2434 | Cri | 0.64 | 9.8 | 0.02 | Apr 2, 2017 | An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "HomeKit" component. It allows attackers to have an unspecified impact by leveraging the presence of Home Control on Control Center. | ||
| CVE-2017-2428 | Cri | 0.64 | 9.8 | 0.03 | Apr 2, 2017 | An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves nghttp2 before 1.17.0 in the "HTTPProtocol" component. It allows remote HTTP/2… | ||
| CVE-2017-2423 | Cri | 0.64 | 9.8 | 0.02 | Apr 2, 2017 | An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. The issue involves the "Security" component. It allows remote attackers to bypass intended access restrictions by leveraging a successful result from a… | ||
| CVE-2017-2402 | Cri | 0.64 | 9.8 | 0.02 | Apr 2, 2017 | An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves mishandling of profile uninstall actions in the "MCX Client" component when a profile has multiple payloads. It allows remote attackers to bypass intended access restrictions… | ||
| CVE-2016-6111 | Cri | 0.59 | 9.1 | 0.02 | Mar 31, 2017 | IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all… | ||
| CVE-2017-3010 | Cri | 0.64 | 9.8 | 0.05 | Mar 31, 2017 | Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the rendering engine. Successful exploitation could lead to arbitrary code execution. | ||
| CVE-2014-5009 | Cri | 0.57 | 9.8 | 0.05 | Mar 31, 2017 | Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. | ||
| CVE-2014-5008 | Cri | 0.64 | 9.8 | 0.04 | Mar 31, 2017 | Snoopy allows remote attackers to execute arbitrary commands. | ||
| CVE-2014-3931 | Cri | 0.78 | 9.8 | 0.27 | KEV | Mar 31, 2017 | fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption. | |
| CVE-2008-7313 | Cri | 0.64 | 9.8 | 0.05 | Mar 31, 2017 | The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796. | ||
| CVE-2017-6182 | Cri | 0.68 | 9.8 | 0.17 | Mar 30, 2017 | In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304. | ||
| CVE-2014-9826 | Cri | 0.64 | 9.8 | 0.04 | Mar 30, 2017 | ImageMagick allows remote attackers to have unspecified impact via vectors related to error handling in sun files. | ||
| CVE-2017-7324 | Cri | 0.64 | 9.8 | 0.02 | Mar 30, 2017 | setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. | ||
| CVE-2017-7321 | Cri | 0.64 | 9.8 | 0.02 | Mar 30, 2017 | setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | ||
| CVE-2017-7318 | Cri | 0.64 | 9.8 | 0.04 | Mar 30, 2017 | Siklu EtherHaul devices before 7.4.0 are vulnerable to a remote command execution (RCE) vulnerability. This vulnerability allows a remote attacker to execute commands and retrieve information such as usernames and plaintext passwords from the device with no authentication. | ||
| CVE-2016-10309 | Cri | 0.64 | 9.8 | 0.02 | Mar 30, 2017 | In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote attacker can bypass authentication by adding an ALBATROSS cookie with the value 0-4-11 to their browser. |
- risk 0.64cvss 9.8epss 0.03
Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input.
- risk 0.64cvss 9.8epss 0.03
Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.
- risk 0.64cvss 9.8epss 0.01
The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a certain field to two bytes, which allows hijacking and injection attacks.
- risk 0.64cvss 9.8epss 0.02
Summer Baby Zoom Wifi Monitor & Internet Viewing System allows remote attackers to bypass authentication, related to the MySnapCam web service.
- risk 0.64cvss 9.8epss 0.01
iBaby M3S has a password of admin for the backdoor admin account.
- risk 0.64cvss 9.8epss 0.01
Lens Peek-a-View has a password of 2601hx for the backdoor admin account, a password of user for the backdoor user account, and a password of guest for the backdoor guest account.
- risk 0.64cvss 9.8epss 0.02
Philips In.Sight B120/37 has a password of b120root for the backdoor root account, a password of /ADMIN/ for the backdoor admin account, a password of merlin for the backdoor mg3500 account, a password of M100-4674448 for the backdoor user account, and a password of M100-4674448…
- risk 0.64cvss 9.8epss 0.02
Gynoii has a password of guest for the backdoor guest account and a password of 12345 for the backdoor admin account.
- risk 0.64cvss 9.8epss 0.04
elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have…
- risk 0.69cvss 9.8epss 0.30
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC.…
- risk 0.64cvss 9.8epss 0.02
Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie.
- risk 0.64cvss 9.8epss 0.02
Dataprobe iBootBar (with 2007-09-20 and possibly later released firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCRABBIT cookie.
- risk 0.71cvss 9.8epss 0.48
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.
- risk 0.66cvss 9.8epss 0.29
XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.
- risk 0.64cvss 9.8epss 0.01
DragonWave Horizon 1.01.03 wireless radios have hardcoded login credentials (such as the username of energetic and password of wireless) meant to allow the vendor to access the devices. These credentials can be used in the web interface or by connecting to the device via TELNET.…
- risk 0.64cvss 9.8epss 0.04
Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded,…
- risk 0.64cvss 9.8epss 0.01
Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a…
- risk 0.76cvss 9.8epss 0.90
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated…
- risk 0.57cvss 9.8epss 0.08
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
- risk 0.64cvss 9.8epss 0.03
Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in…
- risk 0.64cvss 9.8epss 0.04
A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device. The vulnerability is due to the existence of default…
- risk 0.67cvss 9.8epss 0.07
The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks data\configurations directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69, as demonstrated by a…
- risk 0.64cvss 9.8epss 0.04
F5 SSL Intercept iApp version 1.5.0 - 1.5.7 is vulnerable to an unauthenticated, remote attack that may allow modification of the BIG-IP system configuration, extraction of sensitive system files, and possible remote command execution on the system when deployed using the…
- risk 0.64cvss 9.8epss 0.01
AIRTAME HDMI dongle with firmware before 2.2.0 allows unauthenticated access to a big part of the management interface. It is possible to extract all information including the Wi-Fi password, reboot, or force a software update at an arbitrary time.
- risk 0.58cvss 9.8epss 0.13
udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.
- risk 0.64cvss 9.8epss 0.03
Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.
- risk 0.67cvss 9.8epss 0.05
Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg.
- risk 0.64cvss 9.8epss 0.02
During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artifacts are not created with proper ACLs.
- risk 0.64cvss 9.8epss 0.02
Cougar-LG stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials.
- risk 0.64cvss 9.8epss 0.04
mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execute arbitrary shell code.
- risk 0.64cvss 9.8epss 0.02
JavaScriptCore in WebKit, as distributed in Safari Technology Preview Release 22, allows remote attackers to cause a denial of service (heap-based out-of-bounds write and application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers…
- risk 0.64cvss 9.8epss 0.03
Jensen of Scandinavia AS Air:Link 3G (AL3G) version 2.23m (Rev. 3), Air:Link 5000AC (AL5000AC) version 1.13, and Air:Link 59300 (AL59300) version 1.04 (Rev. 4) devices allow remote attackers to execute arbitrary commands via shell metacharacters to certain /goform/* pages.
- risk 0.64cvss 9.8epss 0.01
Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2…
- risk 0.64cvss 9.8epss 0.01
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves the "libxslt" component. It allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "HomeKit" component. It allows attackers to have an unspecified impact by leveraging the presence of Home Control on Control Center.
- risk 0.64cvss 9.8epss 0.03
An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. tvOS before 10.2 is affected. watchOS before 3.2 is affected. The issue involves nghttp2 before 1.17.0 in the "HTTPProtocol" component. It allows remote HTTP/2…
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in certain Apple products. iOS before 10.3 is affected. macOS before 10.12.4 is affected. The issue involves the "Security" component. It allows remote attackers to bypass intended access restrictions by leveraging a successful result from a…
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in certain Apple products. macOS before 10.12.4 is affected. The issue involves mishandling of profile uninstall actions in the "MCX Client" component when a profile has multiple payloads. It allows remote attackers to bypass intended access restrictions…
- risk 0.59cvss 9.1epss 0.02
IBM Curam Social Program Management 6.0 and 7.0 are vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all…
- risk 0.64cvss 9.8epss 0.05
Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 and earlier, 11.0.18 and earlier have an exploitable memory corruption vulnerability in the rendering engine. Successful exploitation could lead to arbitrary code execution.
- risk 0.57cvss 9.8epss 0.05
Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008.
- risk 0.64cvss 9.8epss 0.04
Snoopy allows remote attackers to execute arbitrary commands.
- risk 0.78cvss 9.8epss 0.27
fastping.c in MRLG (aka Multi-Router Looking Glass) before 5.5.0 allows remote attackers to cause an arbitrary memory write and memory corruption.
- risk 0.64cvss 9.8epss 0.05
The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.
- risk 0.68cvss 9.8epss 0.17
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
- risk 0.64cvss 9.8epss 0.04
ImageMagick allows remote attackers to have unspecified impact via vectors related to error handling in sun files.
- risk 0.64cvss 9.8epss 0.02
setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter.
- risk 0.64cvss 9.8epss 0.02
setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI.
- risk 0.64cvss 9.8epss 0.04
Siklu EtherHaul devices before 7.4.0 are vulnerable to a remote command execution (RCE) vulnerability. This vulnerability allows a remote attacker to execute commands and retrieve information such as usernames and plaintext passwords from the device with no authentication.
- risk 0.64cvss 9.8epss 0.02
In the GUI of Ceragon FibeAir IP-10 (before 7.2.0) devices, a remote attacker can bypass authentication by adding an ALBATROSS cookie with the value 0-4-11 to their browser.