The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2016-9979 | IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120255. | LOW | Apr 20, 2017 | n/a |
| CVE-2016-9980 | IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120256. | LOW | Apr 20, 2017 | n/a |
| CVE-2017-0189 | An elevation of privilege vulnerability exists in Windows 10 when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode, aka Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2017-0188. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0191 | A denial of service vulnerability exists in the way that Windows 7, Windows 8.1, Windows 10, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding, aka Windows Denial of Service Vulnerability. | LOW | Apr 20, 2017 | n/a |
| CVE-2017-0192 | The Adobe Type Manager Font Driver (ATMFD.dll) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold , 1511, 1607, and 1703 allows an attacker to gain sensitive information via a specially crafted document or an untrusted website, aka ATMFD.dll Information Disclosure Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0194 | Microsoft Excel 2007 SP3, Microsoft Excel 2010 SP2, and Office Compatibility Pack SP2 allow remote attackers to obtain sensitive information from process memory via a crafted Office document, aka Microsoft Office Information Disclosure Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0195 | Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and SP2, Microsoft Excel Web Apps 2010 SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps Server 2013 SP1 and Office Online Server allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka Microsoft Office XSS Elevation of Privilege Vulnerability. | LOW | Apr 20, 2017 | n/a |
| CVE-2017-0197 | Microsoft OneNote 2007 SP3 and Microsoft OneNote 2010 SP2 allow remote attackers to execute arbitrary code via a crafted document, aka Microsoft Office DLL Loading Vulnerability. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0199 | Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0200 | A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user, aka Microsoft Edge Memory Corruption Vulnerability. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0201 | A remote code execution vulnerability exists in Internet Explorer in the way that the JScript and VBScript engines render when handling objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user, aka Scripting Engine Memory Corruption Vulnerability. This CVE ID is unique from CVE-2017-0093. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0202 | A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user, a.k.a. Internet Explorer Memory Corruption Vulnerability. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0203 | A vulnerability exists in Microsoft Edge when the Edge Content Security Policy (CSP) fails to properly validate certain specially crafted documents. An attacker could trick a user into loading a web page with malicious content, aka Microsoft Edge Security Feature Bypass Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0204 | Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outlook 2013 SP1, and Microsoft Outlook 2016 allow remote attackers to bypass the Office Protected View via a specially crafted document, aka Microsoft Office Security Feature Bypass Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0205 | A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user, aka Microsoft Edge Memory Corruption Vulnerability. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-0207 | Microsoft Outlook for Mac 2011 allows remote attackers to spoof web content via a crafted email with specific HTML tags, aka Microsoft Browser Spoofing Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0208 | An information disclosure vulnerability exists in Microsoft Edge when the Chakra scripting engine does not properly handle objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system, a.k.a. Scripting Engine Information Disclosure Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0210 | An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain, aka Internet Explorer Elevation of Privilege Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-0211 | An elevation of privilege vulnerability exists in Windows 10, Windows 8.1, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 versions of Microsoft Windows OLE when it fails an integrity-level check, aka Windows OLE Elevation of Privilege Vulnerability. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-1122 | IBM Security Guardium 8.2, 9.0, and 10.0 contains a vulnerability that could allow a local attacker with CLI access to inject arbitrary commands which would be executed as root. IBM X-Force ID: 121174. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-2784 | An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-2806 | An exploitable arbitrary read exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a arbitrary read resulting in memory disclosure. The vulnerability was confirmed on versions 11.3.0.2228 and 11.3.0.2400 | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-2989 | Adobe Campaign versions Build 8770 and earlier have an input validation bypass that could be exploited to read, write, or delete data from the Campaign database. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-3004 | Adobe Photoshop versions CC 2017 (18.0.1) and earlier, CC 2015.5.1 (17.0.1) and earlier have a memory corruption vulnerability when parsing malicious PCX files. Successful exploitation could lead to arbitrary code execution. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-3005 | Adobe Photoshop versions CC 2017 (18.0.1) and earlier, CC 2015.5.1 (17.0.1) and earlier have an unquoted search path vulnerability. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-3007 | Adobe Thor versions 3.9.5.353 and earlier have a vulnerability in the directory search path used to find resources, related to Creative Cloud desktop applications. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-4969 | The Cloud Controller in Cloud Foundry cf-release versions prior to v255 allows authenticated developer users to exceed memory and disk quotas for tasks. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-5183 | NetIQ Access Manager 4.2.2 and 4.3.x before 4.3.1+, when configured as an Identity Server, has XSS in the AssertionConsumerServiceURL field of a signed AuthnRequest in a samlp:AuthnRequest document. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-5190 | NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when configured as a SAML 2.0 Identity Server with Virtual Attributes, has a concurrency issue causing information leakage, related to a stale profile. | LOW | Apr 20, 2017 | n/a |
| CVE-2017-5936 | OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-6059 | Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7218 | The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 allows remote authenticated users to gain privileges via unspecified request parameters. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7220 | OpenText Documentum Content Server allows superuser access via sys_obj_save or save of a crafted object, followed by an unauthorized UPDATE dm_dbo.dm_user_s SET user_privileges=16 command, aka an RPC save-commands attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4532. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-7279 | An unprivileged user of the Unitrends Enterprise Backup before 9.0.0 web server can escalate to root privileges by modifying the token cookie issued at login. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-7280 | An issue was discovered in api/includes/systems.php in Unitrends Enterprise Backup before 9.0.0. User input is not properly filtered before being sent to a popen function. This allows for remote code execution by sending a specially crafted user variable. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-7281 | An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A lack of sanitization of user input in the createReportName and saveReport functions in recoveryconsole/bpl/reports.php allows for an authenticated user to create a randomly named file on disk with a user-controlled extension, contents, and path, leading to remote code execution, aka Unrestricted File Upload. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7284 | An attacker that has hijacked a Unitrends Enterprise Backup (before 9.1.2) web server session can leverage api/includes/users.php to change the password of the logged in account without knowing the current password. This allows for an account takeover. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7455 | Moxa MXView 2.8 allows remote attackers to read web server's private key file, no access control. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7456 | Moxa MXView 2.8 allows remote attackers to cause a Denial of Service by sending overly long junk payload for the MXView client login credentials. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7626 | The Smart related articles extension 1.1 for Joomla! has XSS in dialog.php (n_art,type in GET Method). | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7627 | The Smart related articles extension 1.1 for Joomla! does not prevent direct requests to dialog.php (there is a missing _JEXEC check). | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7628 | The Smart related articles extension 1.1 for Joomla! has SQL injection in dialog.php (attacker must use search_cats variable in POST method to exploit this vulnerability). | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-7716 | The read_u32_leb128 function in libr/util/uleb128.c in radare2 1.3.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted Web Assembly file. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7719 | SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php. | HIGH | Apr 20, 2017 | n/a |
| CVE-2017-7725 | concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a canonical URL on installation of concrete5 using the Advanced Options settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored and allows for arbitrary domains to be set for certain links displayed to subsequent visitors, potentially an XSS vector. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7741 | In libsndfile before 1.0.28, an error in the flac_buffer_copy() function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7742 | In libsndfile before 1.0.28, an error in the flac_buffer_copy() function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7853 | In libosip2 in GNU oSIP 5.0.0, a malformed SIP message can lead to a heap buffer overflow in the msg_osip_body_parse() function defined in osipparser2/osip_message_parse.c, resulting in a remote DoS. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7854 | The consume_init_expr function in wasm.c in radare2 1.3.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted Web Assembly file. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2017-7856 | LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::ImplConvertFromSVM1 function in vcl/source/gdi/svmconverter.cxx. | HIGH | Apr 20, 2017 | n/a |
