2018-04-11
2018-04-11 13:29Z
CRIT

CVE-2018-1273 — Broadcom Spring_data_commons: An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2018-1273in the wild

Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 94VNDApacheVNDBroadcomVNDPivotal SoftwareTYPVulnerabilitySTAitw exploited
9.8
CVSS v3.1
100
Edit Score
2018-03-27
2018-03-27 17:29Z
HIGH

CVE-2018-7195 — Enhancesoft Osticket: before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2018-7195

Enhancesoft osTicket before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated e-mail address is known) by leveraging guest access and guessing a 6-digit number. CVSSv3.1 8.1 (HIGH) · EPSS 59th percentile

VNDEnhancesoftTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2018-01-04
2018-01-04 13:29Z
MED

CVE-2017-5754 — Intel Atom_c: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-5754

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. CVSSv3.1 5.6 (MEDIUM) · EPSS 100th percentile

CWECWE 200VNDIntelTYPVulnerability
5.6
CVSS v3.1
100
Edit Score
2018-01-04
2018-01-04 13:29Z
MED

CVE-2017-5753 — Intel Atom_c: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-5753

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVSSv3.1 5.6 (MEDIUM) · EPSS 100th percentile

CWECWE 203VNDIntelTYPVulnerability
5.6
CVSS v3.1
100
Edit Score
2018-01-04
2018-01-04 06:29Z
CRIT

CVE-2017-8046 — Vmware Spring_boot: Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 20VNDVmwareVNDMaliciousTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2017-11-16
2017-11-16 21:29Z
HIGH

CVE-2017-16715 — Moxa Nport_5110_firmware: An attacker may be able to exploit a flaw in the handling of Ethernet

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-16715

An Information Exposure issue was discovered in Moxa NPort 5110 Version 2.2, NPort 5110 Version 2.4, NPort 5110 Version 2.6, NPort 5110 Version 2.7, NPort 5130 Version 3.7 and prior, and NPort 5150 Version 3.7 and prior. An attacker may be able to exploit a flaw in the handling of Ethernet frame padding that may allow for information exposure. CVSSv3.1 8.6 (HIGH) · EPSS 48th percentile

CWECWE 200VNDInformationVNDMoxaTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2017-11-16
2017-11-16 07:29Z
HIGH

CVE-2017-12350 — Cisco Umbrella_virtual_appliance: A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-12350

A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 and earlier could allow an authenticated, local attacker to log in to an affected virtual appliance with root privileges. The vulnerability is due to the presence of default, static user credentials for an affected virtual appliance. An attacker could exploit this vulnerability by using the hypervisor console to connect locally to an affected system and then using the static credentials to log in to an affect CVSSv3.1 8.2 (HIGH) · EPSS 27th percentile

CWECWE 798VNDCiscoTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2017-08-30
2017-08-30 20:29Z
HIGH

CVE-2017-14032 — Arm Mbed_tls: mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-14032

ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected. CVSSv3.1 8.1 (HIGH) · EPSS 51th percentile

CWECWE 287VNDArmTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-07-17
2017-07-17 13:18Z
CRIT

CVE-2017-11349 — Thermofisher Dt8x_firmware: dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-11349

dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes such as sending e-mail messages or making outbound connections to FTP servers for uploading data. CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile

CWECWE 522VNDThermofisherVNDDt8xTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-07-12
2017-07-12 12:29Z
CRIT

CVE-2017-11165 — Thermofisher Dt80_dex_firmware: dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-11165

dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitive credential and configuration information via a direct request for the /services/getFile.cmd?userfile=config.xml URI. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 200VNDThermofisherVNDDt80TYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2017-06-30
2017-06-30 03:29Z
CRIT

CVE-2017-7903 — Rockwellautomation 1763-l16awa_series_a: A Weak Password Requirements issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-7903

A Weak Password Requirements issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and CVSSv3.1 9.8 (CRITICAL) · EPSS 46th percentile

CWECWE 326CWECWE 521VNDWeakVNDRockwellautomationTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-06-30
2017-06-30 03:29Z
CRIT

CVE-2017-7898 — Rockwellautomation 1763-l16awa_series_a: There are no penalties for repeatedly entering incorrect passwords.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-7898

An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic contro CVSSv3.1 9.8 (CRITICAL) · EPSS 79th percentile

CWECWE 307VNDRockwellautomationTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-06-30
2017-06-30 03:29Z
CRIT

CVE-2017-6034 — Schneider-electric Modbus_firmware: An Authentication Bypass by Capture-Replay issue was discovered in Schneider Electric Modicon Modbus Protocol.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6034

An Authentication Bypass by Capture-Replay issue was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download. CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile

CWECWE 287CWECWE 294VNDSchneider ElectricTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-06-07
2017-06-07 15:29Z
HIGH

CVE-2017-7563 — Trustedfirmware Trusted_firmware-a: In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 Secure EL1

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-7563

In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 Secure EL1, allowing attackers to bypass the MT_EXECUTE_NEVER protection mechanism. This issue occurs because of inconsistency in the number of execute-never bits (one bit versus two bits). CVSSv3.1 8.1 (HIGH) · EPSS 57th percentile

CWECWE 732VNDArmVNDTrustedfirmwareTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-05-23
2017-05-23 04:29Z
HIGH

CVE-2016-9842 — Zlib Zlib: The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9842

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. CVSSv3.1 8.8 (HIGH) · EPSS 91th percentile

CWECWE 1335VNDZlibTYPVulnerability
8.8
CVSS v3.1
96
Edit Score
2017-05-23
2017-05-23 04:29Z
CRIT

CVE-2016-9841 — Zlib Zlib: inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9841

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. CVSSv3.1 9.8 (CRITICAL) · EPSS 94th percentile

VNDZlibTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2017-05-23
2017-05-23 04:29Z
HIGH

CVE-2016-9840 — Boost Boost: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9840

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. CVSSv3.1 8.8 (HIGH) · EPSS 91th percentile

VNDBoostVNDZlibTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2017-04-20
2017-04-20 18:59Z
HIGH

CVE-2017-2784 — Trustedfirmware Mbed_tls: A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-2784

An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vu CVSSv3.1 8.1 (HIGH) · EPSS 72th percentile

CWECWE 295VNDTrustedfirmwareTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-04-11
2017-04-11 18:59Z
CRIT

CVE-2016-1908 — Openbsd Openssh: The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-1908

The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. CVSSv3.1 9.8 (CRITICAL) · EPSS 84th percentile

CWECWE 287VNDOracleVNDOpensshTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2017-04-06
2017-04-06 21:59Z
CRIT

CVE-2017-7575 — Schneider-electric Modicon_tm221ce16r_firmware: Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-7575

Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote attackers to discover the application-protection password via a \x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00 request to the Modbus port (502/tcp). Subsequently the application may be arbitrarily downloaded, modified, and uploaded. CVSSv3.1 9.8 (CRITICAL) · EPSS 80th percentile

CWECWE 200VNDSchneider ElectricVNDSchneiderTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-04-06
2017-04-06 21:59Z
CRIT

CVE-2017-7574 — Schneider-electric Modicon_tm221ce16r_firmware: The Project Protection feature is used to prevent unauthorized users from opening an XML

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-7574

Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modicon TM221CE16R 1.3.3.3 devices have a hardcoded-key vulnerability. The Project Protection feature is used to prevent unauthorized users from opening an XML protected project file, by prompting the user for a password. This XML file is AES-CBC encrypted; however, the key used for encryption (SoMachineBasicSoMachineBasicSoMa) cannot be changed. After decrypting the XML file with this key, the user password ca CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile

CWECWE 798CWECWE 321VNDSchneider ElectricVNDSchneiderTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-04-02
2017-04-02 20:59Z
HIGH

CVE-2015-8671 — Huawei Logcenter: V100R001C10 could allow an authenticated attacker to tamper with requests using a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8671

Huawei LogCenter V100R001C10 could allow an authenticated attacker to tamper with requests using a tool and submit a request to the server for privilege escalation, affecting some system functions. CVSSv3.1 8.8 (HIGH)

CWECWE 264VNDHuaweiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-04-02
2017-04-02 20:59Z
HIGH

CVE-2014-9696 — Huawei Tecal_e9000_chassis_firmware: The Hyper Module Management (HMM) software of Huawei Tecal E9000 Chassis V100R001C00SPC160 and earlier

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2014-9696

The Hyper Module Management (HMM) software of Huawei Tecal E9000 Chassis V100R001C00SPC160 and earlier versions allows the operator to modify the user configuration of iMana through privilege escalation. CVSSv3.1 8.8 (HIGH)

CWECWE 264VNDHuaweiVNDHyperTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-04-02
2017-04-02 20:59Z
HIGH

CVE-2014-9695 — Huawei Tecal_e9000_chassis_firmware: The Hyper Module Management (HMM) software of Huawei Tecal E9000 Chassis V100R001C00SPC160 and earlier

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2014-9695

The Hyper Module Management (HMM) software of Huawei Tecal E9000 Chassis V100R001C00SPC160 and earlier versions could allow a non-super-domain user who accesses HMM through SNMPv3 to perform operations on a server as a super-domain user. CVSSv3.1 8.8 (HIGH)

CWECWE 264VNDHuaweiVNDHyperTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-04-02
2017-04-02 20:59Z
HIGH

CVE-2014-9694 — Huawei Tecal_rh1288_v2_firmware: Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2014-9694

Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R002C00SPC111 and earlier versions, Tecal RH2268 V2 V100R002C00, Tecal RH2288 V2 V100R002C00SPC117 and earlier versions, Tecal RH2288H V2 V100R002C00SPC115 and earlier versions, Tecal RH2485 V2 V100R002C00SPC502 and earlier versions, Tecal RH5885 V2 V100R001C02SPC109 and earlier ve CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDHuaweiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score