2017-03-07
2017-03-07 16:59Z
CRIT

CVE-2016-7781 — Exponentcms Exponent_cms: SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-7781

SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDExponentcmsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-07
2017-03-07 16:59Z
CRIT

CVE-2016-7780 — Exponentcms Exponent_cms: SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-7780

SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDExponentcmsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-07
2017-03-07 15:59Z
CRIT

CVE-2017-3159 — Apache Camel: Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-3159

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDApacheTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-07
2017-03-07 15:59Z
CRIT

CVE-2016-7145 — Nefarious2_project Nefarious2: The m_authenticate function in ircd/m_authenticate.c in nefarious2 allows remote attackers to spoof certificate fingerprints

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-7145

The m_authenticate function in ircd/m_authenticate.c in nefarious2 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter. CVSSv3.1 9.8 (CRITICAL)

CWECWE 287VNDNefarious2 ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-06
2017-03-06 06:59Z
HIGH

CVE-2017-6411 — Dlink Dsl-2730u_firmware: Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devices allows remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6411

Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devices allows remote attackers to change the DNS or firewall configuration or any password. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDDlinkTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-06
2017-03-06 06:59Z
HIGH

CVE-2017-5633 — D-link Di-524_firmware: Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-5633

Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs. CVSSv3.1 8.0 (HIGH)

CWECWE 352VNDD LinkVNDCsrfTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2017-03-06
2017-03-06 02:59Z
CRIT

CVE-2017-6416 — Flexense Sysgauge: A buffer overflow vulnerability in SMTP connection verification leads to arbitrary code execution.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6416

An issue was discovered in SysGauge 1.5.18. A buffer overflow vulnerability in SMTP connection verification leads to arbitrary code execution. The attack vector is a crafted SMTP daemon that sends a long 220 (aka "Service ready") string. CVSSv3.1 9.8 (CRITICAL)

CWECWE 119VNDSysgaugeVNDFlexenseTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2017-03-06
2017-03-06 02:59Z
HIGH

CVE-2017-6351 — Wepresent Wipg-1500_firmware: The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6351

The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885. CVSSv3.1 8.1 (HIGH)

CWECWE 798VNDWepresentTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-03-05
2017-03-05 20:59Z
HIGH

CVE-2017-6445 — Openelec Openelec: The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6445

The auto-update feature of Open Embedded Linux Entertainment Center (OpenELEC) 6.0.3, 7.0.1, and 8.0.4 uses neither encrypted connections nor signed updates. A man-in-the-middle attacker could manipulate the update packages to gain root access remotely. CVSSv3.1 8.1 (HIGH)

CWECWE 347CWECWE 311VNDOpenelecTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2017-03-03
2017-03-03 16:59Z
HIGH

CVE-2016-7408 — Dropbear_ssh_project Dropbear_ssh: The dbclient in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-7408

The dbclient in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via a crafted (1) -m or (2) -c argument. CVSSv3.1 8.8 (HIGH)

CWECWE 284VNDDropbear Ssh ProjectVNDDropbearTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-03
2017-03-03 16:59Z
CRIT

CVE-2016-7407 — Dropbear_ssh_project Dropbear_ssh: The dropbearconvert command in Dropbear SSH before 2016.74 allows attackers to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-7407

The dropbearconvert command in Dropbear SSH before 2016.74 allows attackers to execute arbitrary code via a crafted OpenSSH key file. CVSSv3.1 9.8 (CRITICAL)

CWECWE 20VNDDropbear Ssh ProjectVNDDropbearTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-03
2017-03-03 16:59Z
CRIT

CVE-2016-7406 — Dropbear_ssh_project Dropbear_ssh: Format string vulnerability in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-7406

Format string vulnerability in Dropbear SSH before 2016.74 allows remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) host argument. CVSSv3.1 9.8 (CRITICAL)

CWECWE 20VNDDropbear Ssh ProjectVNDFormatTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-03
2017-03-03 16:59Z
HIGH

CVE-2015-8814 — Umbraco Umbraco: before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8814

Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDUmbracoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-03
2017-03-03 16:59Z
HIGH

CVE-2015-8813 — Umbraco Umbraco: The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8813

The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter. CVSSv3.1 8.2 (HIGH)

CWECWE 918VNDUmbracoVNDPage LoadTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2017-03-03
2017-03-03 15:59Z
CRIT

CVE-2017-5830 — Revive-adserver Revive_adserver: Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-5830

Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDRevive AdserverVNDReviveTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-03
2017-03-03 15:59Z
HIGH

CVE-2017-2290 — Puppet Mcollective-puppet-agent: On Windows installations of the mcollective-puppet-agent plugin, version 1.12.0, a non-administrator user can create

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-2290

On Windows installations of the mcollective-puppet-agent plugin, version 1.12.0, a non-administrator user can create an executable that will be executed with administrator privileges on the next "mco puppet" run. Puppet Enterprise users are not affected. This is resolved in mcollective-puppet-agent 1.12.1. CVSSv3.1 8.8 (HIGH)

CWECWE 732VNDPuppetTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-03
2017-03-03 15:59Z
HIGH

CVE-2016-10206 — Zoneminder Zoneminder: Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10206

Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. CVSSv3.1 8.8 (HIGH)

CWECWE 352VNDCsrfVNDZoneminderTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-03
2017-03-03 15:59Z
CRIT

CVE-2016-10204 — Zoneminder Zoneminder: SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10204

SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDZoneminderTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-03
2017-03-03 15:59Z
CRIT

CVE-2016-10194 — Festivaltts4r_project Festivaltts4r: The festivaltts4r gem for Ruby allows remote attackers to execute arbitrary commands via shell

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10194

The festivaltts4r gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the (1) to_speech or (2) to_mp3 method in lib/festivaltts4r/festival4r.rb. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77VNDFestivaltts4r ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-03
2017-03-03 15:59Z
CRIT

CVE-2016-10193 — Espeak-ruby_project Espeak-ruby: The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to execute arbitrary commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10193

The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the speak, save, bytes or bytes_wav method in lib/espeak/speech.rb. CVSSv3.1 9.8 (CRITICAL)

CWECWE 284VNDEspeak Ruby ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-03
2017-03-03 15:59Z
CRIT

CVE-2016-10127 — Pysaml2_project Pysaml2: allows remote attackers to conduct XML external entity (XXE) attacks via a crafted

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10127

PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response. CVSSv3.1 9.0 (CRITICAL)

CWECWE 611VNDPysaml2 ProjectVNDPysaml2TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2017-03-02
2017-03-02 06:59Z
HIGH

CVE-2017-6413 — Openidc Mod_auth_openidc: The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6413

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. CVSSv3.1 8.6 (HIGH)

CWECWE 287VNDOpenidcVNDConnectTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2017-03-02
2017-03-02 06:59Z
CRIT

CVE-2017-6409 — Veritas Netbackup: Unauthenticated CORBA interfaces permit inappropriate access.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6409

An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and earlier. Unauthenticated CORBA interfaces permit inappropriate access. CVSSv3.1 9.8 (CRITICAL)

CWECWE 306VNDVeritasTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-03-02
2017-03-02 06:59Z
HIGH

CVE-2017-6407 — Veritas Netbackup: An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBackup Appliance Before 2.7.2.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6407

An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBackup Appliance Before 2.7.2. Privileged remote command execution on NetBackup Server and Client (on the server or a connected client) can occur. CVSSv3.1 8.8 (HIGH)

VNDVeritasTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-03-02
2017-03-02 06:59Z
HIGH

CVE-2017-6406 — Veritas Access: An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBackup Appliance Before 2.7.2.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-6406

An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBackup Appliance Before 2.7.2. Arbitrary privileged command execution, using whitelist directory escape with "../" substrings, can occur. CVSSv3.1 8.8 (HIGH)

VNDVeritasTYPVulnerability
8.8
CVSS v3.1
94
Edit Score