The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2017-0060 | The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka GDI+ Information Disclosure Vulnerability. This vulnerability is different from those described in CVE-2017-0060 and CVE-2017-0062. | LOW | Mar 21, 2017 | n/a |
| CVE-2017-0061 | The Color Management Module (ICM32.dll) memory handling functionality in Windows Vista SP2, Windows Server 2008 SP2 and R2, and Windows 7 SP1 allows remote attackers to bypass ASLR and execute code in combination with another vulnerability through a crafted website, aka Microsoft Color Management Information Disclosure Vulnerability. This vulnerability is different from that described in CVE-2017-0063. | LOW | Mar 21, 2017 | n/a |
| CVE-2017-0062 | The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka GDI+ Information Disclosure Vulnerability. This vulnerability is different from those described in CVE-2017-0060 and CVE-2017-0073. | LOW | Mar 21, 2017 | n/a |
| CVE-2017-0079 | The kernel-mode drivers in Windows 8.1; Windows Server 2012 R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka Win32k Elevation of Privilege Vulnerability. This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0080, CVE-2017-0081, and CVE-2017-0082. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-0080 | The kernel-mode drivers in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Server 2016 allow local users to gain privileges via a crafted application, aka Win32k Elevation of Privilege Vulnerability. This vulnerability is different from those described in CVE-2017-0024, CVE-2017-0026, CVE-2017-0056, CVE-2017-0078, CVE-2017-0079, CVE-2017-0081, and CVE-2017-0082. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-0095 | Hyper-V in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Server 2016 does not properly validate vSMB packet data, which allows attackers to execute arbitrary code on a target OS, aka Hyper-V vSMB Remote Code Execution Vulnerability. This vulnerability is different from that described in CVE-2017-0021. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-0108 | The Windows Graphics Component in Microsoft Office 2007 SP3; 2010 SP2; and Word Viewer; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Live Meeting 2007; Silverlight 5; Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; and Windows 7 SP1 allows remote attackers to execute arbitrary code via a crafted web site, aka Graphics Component Remote Code Execution Vulnerability. This vulnerability is different from that described in CVE-2017-0014. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-0129 | Microsoft Lync for Mac 2011 fails to properly validate certificates, allowing remote attackers to alter server-client communications, aka Microsoft Lync for Mac Certificate Validation Vulnerability. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3811 | An XML External Entity vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc39165. Known Affected Releases: 2.6. Known Fixed Releases: 2.7.1.2054. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3815 | An API Privilege vulnerability in Cisco TelePresence Server Software could allow an unauthenticated, remote attacker to emulate Cisco TelePresence Server endpoints. Affected Products: This vulnerability affects Cisco TelePresence Server MSE 8710 Processors that are running a software release prior to Cisco TelePresence Software Release 4.3 and are running in locally managed mode. The vulnerable API was deprecated in Cisco TelePresence Software Release 4.3. More Information: CSCvc37616. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3866 | A vulnerability in the web framework code of Cisco Prime Service Catalog could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvc79842 CSCvc79846 CSCvc79855 CSCvc79873 CSCvc79882 CSCvc79891. Known Affected Releases: 11.1.2. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3868 | A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc44344. Known Affected Releases: 6.0(0.0). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3869 | An API Credentials Management vulnerability in the APIs for Cisco Prime Infrastructure could allow an authenticated, remote attacker to access an API that should be restricted to a privileged user. The attacker needs to have valid credentials. More Information: CSCuy36192. Known Affected Releases: 3.1(1) 3.1(1). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3871 | A RADIUS Secret Disclosure vulnerability in the web network management interface of Cisco Prime Optical for Service Providers could allow an authenticated, remote attacker to disclose sensitive information in the configuration generated for a device. The attacker must have valid credentials for the device. More Information: CSCvc65257. Known Affected Releases: 10.6(0.1). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3872 | A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct XSS attacks against a user of an affected device. More Information: CSCvc21620. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.641) 12.0(0.98000.500) 12.0(0.98000.219). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3874 | A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an authenticated, remote attacker to perform a cross-site scripting (XSS) attack. More Information: CSCvb70033. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.507) 11.0(1.23900.5) 11.0(1.23900.3) 10.5(2.15900.2). | LOW | Mar 21, 2017 | n/a |
| CVE-2017-3877 | A vulnerability in the web framework of Cisco Unified Communications Manager (CallManager) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack against a user of the web interface of the affected software. More Information: CSCvb70021. Known Affected Releases: 11.5(1.11007.2). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3878 | A Denial of Service vulnerability in the Telnet remote login functionality of Cisco NX-OS Software running on Cisco Nexus 9000 Series Switches could allow an unauthenticated, remote attacker to cause a Telnet process used for login to terminate unexpectedly and the login attempt to fail. There is no impact to user traffic flowing through the device. Affected Products: This vulnerability affects Cisco Nexus 9000 Series Switches that are running Cisco NX-OS Software and are configured to allow remote Telnet connections to the device. More Information: CSCux46778. Known Affected Releases: 7.0(3)I3(0.170). Known Fixed Releases: 7.0(3)I3(1) 7.0(3)I3(0.257) 7.0(3)I3(0.255) 7.0(3)I2(2e) 7.0(3)F1(1.22) 7.0(3)F1(1). | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3880 | An Authentication Bypass vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to access limited meeting information on the Cisco WebEx Meetings Server. More Information: CSCvd50728. Known Affected Releases: 2.6 2.7 2.8 CWMS-2.5MR1 Orion1.1.2.patch T29_orion_merge. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-3881 | A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: (1) the failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device; and (2) the incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device. This affects Catalyst switches, Embedded Service 2020 switches, Enhanced Layer 2 EtherSwitch Service Module, Enhanced Layer 2/3 EtherSwitch Service Module, Gigabit Ethernet Switch Module (CGESM) for HP, IE Industrial Ethernet switches, ME 4924-10GE switch, RF Gateway 10, and SM-X Layer 2/3 EtherSwitch Service Module. Cisco Bug IDs: CSCvd48893. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-5358 | Stack-based buffer overflows in php_Easycom5_3_0.dll in EasyCom for PHP 4.0.0.29 allows remote attackers to execute arbitrary code via the server argument to the (1) i5_connect, (2) i5_pconnect, or (3) i5_private_connect API function. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-5359 | EasyCom SQL iPlug allows remote attackers to cause a denial of service via the D$EVAL parameter to the default URI. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-5496 | Sawmill Enterprise 8.7.9 allows remote attackers to gain login access by leveraging knowledge of a password hash. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-5537 | The password reset form in Weblate before 2.10.1 provides different error messages depending on whether the email address is associated with an account, which allows remote attackers to enumerate user accounts via a series of requests. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-5643 | Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-6414 | Memory leak in the vcard_apdu_new function in card_7816.c in libcacard before 2.5.3 allows local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-6880 | Buffer overflow in Cerberus FTP Server 8.0.10.3 allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long MLST command. | HIGH | Mar 21, 2017 | n/a |
| CVE-2017-6951 | The keyring_search_aux function in security/keys/keyring.c in the Linux kernel through 3.14.79 allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the dead type. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-6954 | An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-6955 | An issue was discovered in by-email/by-email.php in the Invite Anyone plugin before 1.3.15 for WordPress. A user is able to change the subject and the body of the invitation mail that should be immutable, which facilitates a social engineering attack. | MEDIUM | Mar 21, 2017 | n/a |
| CVE-2017-6967 | xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect location, leading to PAM session modules not being properly initialized, with a potential consequence of incorrect configurations or elevation of privileges, aka a pam_limits.so bypass. | HIGH | Mar 21, 2017 | n/a |
| CVE-2014-8701 | Wonder CMS 2014 allows remote attackers to obtain sensitive information by viewing /files/password, which reveals the unsalted MD5 hashed password. | Medium | Mar 20, 2017 | n/a |
| CVE-2014-8702 | Wonder CMS 2014 allows remote attackers to obtain sensitive information by logging into the application with an array for the password, which reveals the installation path in an error message. | Medium | Mar 20, 2017 | n/a |
| CVE-2014-8703 | Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows remote attackers to inject arbitrary web script or HTML. | Medium | Mar 20, 2017 | n/a |
| CVE-2014-8704 | Directory traversal vulnerability in index.php in Wonder CMS 2014 allows remote attackers to include and execute arbitrary local files via a crafted theme. | High | Mar 20, 2017 | n/a |
| CVE-2014-8705 | PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter. | High | Mar 20, 2017 | n/a |
| CVE-2014-8707 | Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or HTML via the edit HTML source option. | Medium | Mar 20, 2017 | n/a |
| CVE-2014-8708 | Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature. | High | Mar 20, 2017 | n/a |
| CVE-2014-8722 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. | Medium | Mar 20, 2017 | n/a |
| CVE-2014-8723 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message. | Medium | Mar 20, 2017 | n/a |
| CVE-2015-3881 | Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml. | Medium | Mar 20, 2017 | n/a |
| CVE-2015-3882 | qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message. | Medium | Mar 20, 2017 | n/a |
| CVE-2015-3883 | Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) Name of application on index.php/configuration; (3) a new project name on index.php/projects; (4) the task name on index.php/tasks; (5) ticket name on index.php/tickets; (6) discussion name on index.php/discussions; (7) report name on index.php/projectReports; or (8) event name on index.php/scheduler/personal. | Medium | Mar 20, 2017 | n/a |
| CVE-2015-3884 | Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/. | High | Mar 20, 2017 | n/a |
| CVE-2015-7313 | LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file. | Medium | Mar 20, 2017 | n/a |
| CVE-2016-10187 | The E-book viewer in calibre before 2.75 allows remote attackers to read arbitrary files via a crafted epub file with JavaScript. | MEDIUM | Mar 20, 2017 | n/a |
| CVE-2017-0007 | Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka PowerShell Security Feature Bypass Vulnerability. | LOW | Mar 20, 2017 | n/a |
| CVE-2017-0010 | A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0015, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0070, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151. | HIGH | Mar 20, 2017 | n/a |
| CVE-2017-0015 | A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0010, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0070, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151. | HIGH | Mar 20, 2017 | n/a |
| CVE-2017-0018 | Microsoft Internet Explorer 10 and 11 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka Internet Explorer Memory Corruption Vulnerability. This vulnerability is different from those described in CVE-2017-0037 and CVE-2017-0149. | HIGH | Mar 20, 2017 | n/a |
