The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2015-2210 | The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows local users to execute arbitrary code by injecting Javascript into the window source to create a button that spawns a command shell. | HIGH | Sep 6, 2017 |
| CVE-2015-3161 | The search bar code in bkr/server/widgets.py in Beaker before 20.1 does not escape </script> tags in string literals when producing JSON. | LOW | Sep 6, 2017 |
| CVE-2015-3450 | Heap-based buffer overflow in libaxl 0.6.9 allows attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted XML document. | MEDIUM | Sep 6, 2017 |
| CVE-2015-3654 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators to gain root privileges via unspecified vectors, a different vulnerability than CVE-2015-4649. | High | Sep 6, 2017 |
| CVE-2015-3656 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain privileges by leveraging failure to properly enforce authorization checks. | Medium | Sep 6, 2017 |
| CVE-2015-3657 | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain Super Admin privileges via unspecified vectors. | Medium | Sep 6, 2017 |
| CVE-2015-3976 | Cross-site scripting (XSS) vulnerability in GE Multilink ML810/3000/3100 series switch 5.2.0 and earlier, and GE Multilink ML800/1200/1600/2400 4.2.1 and earlier. | Low | Sep 6, 2017 |
| CVE-2015-5186 | Audit before 2.4.4 in Linux does not sanitize escape characters in filenames. | MEDIUM | Sep 6, 2017 |
| CVE-2015-5705 | Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename. | MEDIUM | Sep 6, 2017 |
| CVE-2015-5958 | phpFileManager 0.9.8 allows remote attackers to execute arbitrary commands via a crafted URL. | High | Sep 6, 2017 |
| CVE-2015-6250 | simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be694 allows remote attackers to automatically generate the captcha response by running the same code on the client-side. | MEDIUM | Sep 6, 2017 |
| CVE-2015-7225 | Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not burn a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step. | LOW | Sep 6, 2017 |
| CVE-2015-7294 | ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username. | MEDIUM | Sep 6, 2017 |
| CVE-2015-7746 | NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language. | High | Sep 6, 2017 |
| CVE-2015-8299 | Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet. | High | Sep 6, 2017 |
| CVE-2015-8300 | Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for Program Files (x86)polycompolycom btoe connectorplcmbtoesrv.exe, which allows local users to gain privileges via a Trojan horse file. | High | Sep 6, 2017 |
| CVE-2015-8316 | Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address. | MEDIUM | Sep 6, 2017 |
| CVE-2016-0354 | IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which could be executed with user privileges. IBM X-Force ID: 111893. | Medium | Sep 6, 2017 |
| CVE-2016-0355 | IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111894. | Medium | Sep 6, 2017 |
| CVE-2016-0356 | IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID: 111895. | Medium | Sep 6, 2017 |
| CVE-2016-10508 | Multiple cross-site scripting (XSS) vulnerabilities in phpThumb() before 1.7.14 allow remote attackers to inject arbitrary web script or HTML via parameters in demo/phpThumb.demo.showpic.php. | Medium | Sep 6, 2017 |
| CVE-2016-10509 | SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php. | Medium | Sep 6, 2017 |
| CVE-2016-1895 | NetApp Data ONTAP before 8.2.5 and 8.3.x before 8.3.2P12 allow remote authenticated users to cause a denial of service via vectors related to unsafe user input string handling. | Medium | Sep 6, 2017 |
| CVE-2016-2959 | IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting room manager to remove the primary managers privileges. IBM X-Force ID: 113804. | Medium | Sep 6, 2017 |
| CVE-2016-2965 | IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID: 113846. | Medium | Sep 6, 2017 |
| CVE-2016-2969 | IBM Sametime Meeting Server 8.5.2 and 9.0 may send replies that contain emails of people that should not be in these messages. IBM X-Force ID: 113850. | Medium | Sep 6, 2017 |
| CVE-2016-2971 | IBM Sametime Media Services 8.5.2 and 9.0 can disclose sensitive information in stack trace error logs that could aid an attacker in future attacks. IBM X-Force ID: 113898. | Medium | Sep 6, 2017 |
| CVE-2016-2972 | IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of the Sametime Meetings user in the local cache of their browser which could be accessed by a local user. IBM X-Force ID: 113855. | Low | Sep 6, 2017 |
| CVE-2016-2973 | IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113899. | Low | Sep 6, 2017 |
| CVE-2016-2977 | IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user to lower other users hands in the meeting. IBM X-Force ID: 113937. | Medium | Sep 6, 2017 |
| CVE-2016-2979 | IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113945. | Low | Sep 6, 2017 |
| CVE-2016-3086 | The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications. | MEDIUM | Sep 6, 2017 |
| CVE-2016-7030 | FreeIPA uses a default password policy that locks an account after 5 unsuccessful authentication attempts, which allows remote attackers to cause a denial of service by locking out the account in which system services run on. | Medium | Sep 6, 2017 |
| CVE-2017-0901 | RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. | Medium | Sep 6, 2017 |
| CVE-2017-1000083 | backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a -- command-line option substring, as demonstrated by a --checkpoint-action=exec=bash at the beginning of the filename. | Medium | Sep 6, 2017 |
| CVE-2017-10848 | Untrusted search path vulnerability in Installers for DocuWorks 8.0.7 and earlier and DocuWorks Viewer Light published in Jul 2017 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | High | Sep 6, 2017 |
| CVE-2017-10851 | Untrusted search path vulnerability in Installer for ContentsBridge Utility for Windows 7.4.0 and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. | High | Sep 6, 2017 |
| CVE-2017-1129 | IBM Notes 8.5 and 9.0 is vulnerable to a denial of service. If a user is persuaded to click on a malicious link, it could cause the Notes client to hang and have to be restarted. IBM X-Force ID: 121370. | Medium | Sep 6, 2017 |
| CVE-2017-12421 | NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authenticated users to execute arbitrary code on the storage controller via unspecified vectors. | Medium | Sep 6, 2017 |
| CVE-2017-12422 | NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3.0.4, and 10.4.x before 10.4.0.2 allow remote authenticated users to delete arbitrary objects via unspecified vectors. | Medium | Sep 6, 2017 |
| CVE-2017-12423 | NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authenticated users to read data on other Storage Virtual Machines (SVMs) via unspecified vectors. | Medium | Sep 6, 2017 |
| CVE-2017-12797 | Integer overflow in the INT123_parse_new_id3 function in the ID3 parser in mpg123 before 1.25.5 on 32-bit platforms allows remote attackers to cause a denial of service via a crafted file, which triggers a heap-based buffer overflow. | Medium | Sep 6, 2017 |
| CVE-2017-12865 | Stack-based buffer overflow in dnsproxy.c in connman 1.34 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted response query string passed to the name variable. | High | Sep 6, 2017 |
| CVE-2017-12867 | The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. | Medium | Sep 6, 2017 |
| CVE-2017-12869 | The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. | Medium | Sep 6, 2017 |
| CVE-2017-12873 | SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | High | Sep 6, 2017 |
| CVE-2017-12874 | The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities. | Medium | Sep 6, 2017 |
| CVE-2017-13673 | The vga display update in Qemu 2.8.0 through 2.9.0 mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. | Medium | Sep 6, 2017 |
| CVE-2017-13674 | Symantec ProxyClient 3.4 for Windows is susceptible to a privilege escalation vulnerability. A malicious local Windows user can, under certain circumstances, exploit this vulnerability to escalate their privileges on the system and execute arbitrary code with LocalSystem privileges. | HIGH | Sep 6, 2017 |
| CVE-2017-13738 | There is an illegal address access in the _lou_getALine function in compileTranslationTable.c:346 in Liblouis 3.2.0. | Medium | Sep 6, 2017 |
