2017-03-28
2017-03-28 14:59Z
CRIT

CVE-2016-10152 — Hesiod_project Hesiod: The read_config_file function in lib/hesiod.c in Hesiod 3.2.1 falls back to the ".athena.mit.edu" default

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10152

The read_config_file function in lib/hesiod.c in Hesiod 3.2.1 falls back to the ".athena.mit.edu" default domain when opening the configuration file fails, which allows remote attackers to gain root privileges by poisoning the DNS cache. CVSSv3.1 9.8 (CRITICAL)

CWECWE 264VNDHesiod ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-28
2017-03-28 02:59Z
CRIT

CVE-2016-9470 — Revive-adserver Revive_adserver: `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9470

Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected File Download. `www/delivery/asyncspc.php` was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain. CVSSv3.1 9.0 (CRITICAL)

CWECWE 79CWECWE 254VNDRevive AdserverVNDReviveTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2017-03-28
2017-03-28 02:59Z
HIGH

CVE-2016-9469 — Gitlab Gitlab: Multiple versions of GitLab expose a dangerous method to any authenticated user that could

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9469

Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user. A fix was included in versions 8.14.3, 8.13.8, and 8.12.11, which were released on December 5th 2016 at 3:59 PST. The GitLab versions vulnerable to this are 8.13.0, 8.13.0-ee, 8.13.1, 8.13 CVSSv3.1 8.2 (HIGH)

CWECWE 749CWECWE 264VNDGitlabTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2017-03-28
2017-03-28 02:59Z
HIGH

CVE-2016-9463 — Nextcloud Nextcloud_server: Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9463

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have CVSSv3.1 8.1 (HIGH)

CWECWE 287CWECWE 303VNDNextcloudVNDOwncloudTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-03-28
2017-03-28 02:59Z
HIGH

CVE-2016-9456 — Revive-adserver Revive_adserver: Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9456

Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The Revive Adserver team conducted a security audit of the admin interface scripts in order to identify and fix other potential CSRF vulnerabilities. Over 20+ such issues were fixed. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDRevive AdserverVNDReviveTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-28
2017-03-28 02:59Z
HIGH

CVE-2016-9455 — Revive-adserver Revive_adserver: Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9455

Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). A number of scripts in Revive Adserver's user interface are vulnerable to CSRF attacks: `www/admin/banner-acl.php`, `www/admin/banner-activate.php`, `www/admin/banner-advanced.php`, `www/admin/banner-modify.php`, `www/admin/banner-swf.php`, `www/admin/banner-zone.php`, `www/admin/tracker-modify.php`. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDRevive AdserverVNDReviveTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-28
2017-03-28 02:59Z
HIGH

CVE-2016-9127 — Revive-adserver Revive_adserver: Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9127

Revive Adserver before 3.2.3 suffers from Cross-Site Request Forgery (CSRF). The password recovery form in Revive Adserver is vulnerable to CSRF attacks. This vulnerability could be exploited to send a large number of password recovery emails to the registered users, especially in conjunction with a bug that caused recovery emails to be sent to all the users at once. Both issues have been fixed. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDRevive AdserverVNDReviveTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2017-03-28
2017-03-28 02:59Z
CRIT

CVE-2016-9125 — Revive-adserver Revive_adserver: Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9125

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session. CVSSv3.1 9.8 (CRITICAL)

CWECWE 384VNDRevive AdserverVNDReviveTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-28
2017-03-28 02:59Z
CRIT

CVE-2016-9124 — Revive-adserver Revive_adserver: The login page of Revive Adserver is vulnerable to password-guessing attacks.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9124

Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems CVSSv3.1 9.8 (CRITICAL)

CWECWE 287CWECWE 307VNDRevive AdserverVNDReviveTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-28
2017-03-28 02:59Z
CRIT

CVE-2016-9121 — Go-jose_project Go-jose: When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9121

go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack. CVSSv3.1 9.1 (CRITICAL)

CWECWE 326VNDGo Jose ProjectTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2017-03-27
2017-03-27 22:59Z
HIGH

CVE-2017-1153 — Ibm Tririga_application_platform: TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability that could allow an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-1153

IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability that could allow an authenticated user to execute actions that they do not have access to. IBM Reference #: 1999563. CVSSv3.1 8.8 (HIGH)

VNDIbmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 22:59Z
HIGH

CVE-2016-8960 — Ibm Cognos_business_intelligence: Cognos Business Intelligence 10.2 could allow a user with lower privilege Capabilities to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-8960

IBM Cognos Business Intelligence 10.2 could allow a user with lower privilege Capabilities to adopt the Capabilities of a higher-privilege user by intercepting the higher-privilege user's cookie value from its HTTP request and then reusing it in subsequent requests. IBM Reference #: 1993718. CVSSv3.1 8.8 (HIGH)

CWECWE 264VNDIbmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 17:59Z
CRIT

CVE-2017-7191 — Irssi Irssi: The netjoin processing in Irssi 1.x before 1.0.2 allows attackers to cause a denial

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-7191

The netjoin processing in Irssi 1.x before 1.0.2 allows attackers to cause a denial of service (use-after-free) and possibly execute arbitrary code via unspecified vectors. CVSSv3.1 9.8 (CRITICAL)

CWECWE 416VNDIrssiTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-27
2017-03-27 17:59Z
CRIT

CVE-2017-6542 — Putty Putty: The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6542

The ssh_agent_channel_data function in PuTTY before 0.68 allows remote attackers to have unspecified impact via a large length value in an agent protocol message and leveraging the ability to connect to the Unix-domain socket representing the forwarded agent connection, which trigger a buffer overflow. CVSSv3.1 9.8 (CRITICAL)

CWECWE 119VNDPuttyVNDOpensuse ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-27
2017-03-27 17:59Z
HIGH

CVE-2017-6460 — Ntp Ntp: Stack-based buffer overflow in the reslist function in ntpq in NTP before 4.2.8p10 and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6460

Stack-based buffer overflow in the reslist function in ntpq in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote servers have unspecified impact via a long flagstr variable in a restriction list response. CVSSv3.1 8.8 (HIGH)

CWECWE 119VNDStackVNDNtpTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 17:59Z
HIGH

CVE-2017-6458 — Ntp Ntp: Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4.3.x before

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6458

Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allow remote authenticated users to have unspecified impact via a long variable. CVSSv3.1 8.8 (HIGH)

CWECWE 119VNDNtpTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 17:59Z
HIGH

CVE-2015-8764 — Freeradius Freeradius: Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8, which triggers a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8764

Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8, which triggers a buffer overflow. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDFreeradiusVNDOffTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-03-27
2017-03-27 17:59Z
HIGH

CVE-2015-8763 — Freeradius Freeradius: The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8763

The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified impact via a crafted (1) commit or (2) confirm message, which triggers an out-of-bounds read. CVSSv3.1 8.1 (HIGH)

CWECWE 125VNDFreeradiusVNDEapTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-03-27
2017-03-27 17:59Z
HIGH

CVE-2015-0864 — Samsung Galaxy_app: Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x before 2.1.0069 allows man-in-the-middle attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-0864

Samsung Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x before 2.1.0069 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary code. CVSSv3.1 8.0 (HIGH)

CWECWE 264VNDSamsungTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2017-03-27
2017-03-27 17:59Z
HIGH

CVE-2015-0863 — Samsung Galaxy_app: GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app.samsungapps) before 14120405.03.012 allows man-in-the-middle attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-0863

GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app.samsungapps) before 14120405.03.012 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary code. CVSSv3.1 8.0 (HIGH)

CWECWE 264VNDSamsungVNDGalaxyTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2017-03-27
2017-03-27 15:59Z
HIGH

CVE-2017-5931 — Qemu Qemu: Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-5931

Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow. CVSSv3.1 8.8 (HIGH)

CWECWE 190VNDQemuTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 14:59Z
HIGH

CVE-2017-6957 — Broadcom Bcm4339_soc_firmware: Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC SoC chips, when the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6957

Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC SoC chips, when the firmware supports CCKM Fast and Secure Roaming and the feature is enabled in RAM, allows remote attackers to execute arbitrary code via a crafted reassociation response frame with a Cisco IE (156). CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDBroadcomVNDStackTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-03-27
2017-03-27 02:59Z
HIGH

CVE-2017-6069 — Intelliants Subrion_cms: Subrion CMS 4.0.5 has CSRF in admin/blog/add/.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6069

Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add any tag, and can optionally insert XSS via the tags parameter. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDIntelliantsVNDSubrionTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 02:59Z
HIGH

CVE-2017-6068 — Intelliants Subrion_cms: Subrion CMS 4.0.5 has CSRF in admin/blocks/add/.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6068

Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can create any block, and can optionally insert XSS via the content parameter. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDIntelliantsVNDSubrionTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-27
2017-03-27 02:59Z
HIGH

CVE-2017-6066 — Intelliants Subrion_cms: Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6066

Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker can perform any Edit Language action, and can optionally insert XSS via the title parameter. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDIntelliantsVNDSubrionTYPVulnerability
8.8
CVSS v3.1
94
Edit Score