Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2016-9639 — Saltstack Salt: before 2015.8.11 allows deleted minions to read or write to minions with the
Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. CVSSv3.1 9.1 (CRITICAL)
CVE-2016-6667 — Netapp Oncommand_unified_manager_for_clustered_data_ontap: OnCommand Unified Manager for Clustered Data ONTAP 6.3 through 6.4P1 contain a default
NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3 through 6.4P1 contain a default privileged account, which allows remote attackers to execute arbitrary code via unspecified vectors. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-5711 — Netapp Virtual_storage_console_for_vmware_vsphere: Virtual Storage Console for VMware vSphere before 6.2.1 uses a non-unique certificate, which
NetApp Virtual Storage Console for VMware vSphere before 6.2.1 uses a non-unique certificate, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-3180 — Tor_browser_launcher_project Tor_browser_launcher: Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers
Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature. CVSSv3.1 8.1 (HIGH)
CVE-2016-2403 — Sensiolabs Symfony: before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-1894 — Netapp Oncommand_workflow_automation: OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified
NetApp OnCommand Workflow Automation before 3.1P2 allows remote attackers to bypass authentication via unspecified vectors. CVSSv3.1 8.1 (HIGH)
CVE-2015-8322 — Netapp Data_ontap: OnCommand System Manager 8.3.x before 8.3.2 allows remote authenticated users to execute arbitrary
NetApp OnCommand System Manager 8.3.x before 8.3.2 allows remote authenticated users to execute arbitrary code via unspecified vectors. CVSSv3.1 8.8 (HIGH)
CVE-2015-7599 — Windriver Vxworks: Integer overflow in the _authenticate function in svc_auth.c in Wind River VxWorks 5.5 through
Integer overflow in the _authenticate function in svc_auth.c in Wind River VxWorks 5.5 through 6.9.4.1, when the Remote Procedure Call (RPC) protocol is enabled, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a username and password. CVSSv3.1 8.1 (HIGH)
CVE-2016-7400 — Exponentcms Exponent_cms: Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-6199 — Gradle Gradle: ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-6175 — Php-gettext_project Php-gettext: Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary
Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-2539 — Atutor Atutor: Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file. CVSSv3.1 8.8 (HIGH)
CVE-2015-8608 — Perl Perl: The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument. CVSSv3.1 9.8 (CRITICAL)
CVE-2017-5677 — Pear Html_ajax: 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP
PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression. CVSSv3.1 9.8 (CRITICAL)
CVE-2017-5368 — Zoneminder Zoneminder: v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF
ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user u CVSSv3.1 8.8 (HIGH)
CVE-2016-7447 — Graphicsmagick Graphicsmagick: Heap-based buffer overflow in the EscapeParenthesis function in GraphicsMagick before 1.3.25 allows remote attackers
Heap-based buffer overflow in the EscapeParenthesis function in GraphicsMagick before 1.3.25 allows remote attackers to have unspecified impact via unknown vectors. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-7446 — Graphicsmagick Graphicsmagick: Buffer overflow in the MVG and SVG rendering code in GraphicsMagick 1.3.24 allows remote
Buffer overflow in the MVG and SVG rendering code in GraphicsMagick 1.3.24 allows remote attackers to have unspecified impact via unknown vectors. Note: This vulnerability exists due to an incomplete patch for CVE-2016-2317. CVSSv3.1 9.8 (CRITICAL)
CVE-2017-5879 — Exponentcms Exponent_cms: This is a blind SQL injection that can be exploited by un-authenticated users via
An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects source_selector.php and the following parameter: src. CVSSv3.1 9.8 (CRITICAL)
CVE-2015-2794 — Dnnsoftware Dotnetnuke: The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile
CVE-2017-2583 — Linux Linux_kernel: The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a
The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a "MOV SS, NULL selector" instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application. CVSSv3.1 8.4 (HIGH)
CVE-2016-10150 — Linux Linux_kernel: Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13
Use-after-free vulnerability in the kvm_ioctl_create_device function in virt/kvm/kvm_main.c in the Linux kernel before 4.8.13 allows host OS users to cause a denial of service (host OS crash) or possibly gain privileges via crafted ioctl calls on the /dev/kvm device. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-10098 — Sendquick Entera_sms_gateway_firmware: Multiple Command Injection vulnerabilities allow attackers to execute arbitrary system commands.
An issue was discovered on SendQuick Entera and Avera devices before 2HF16. Multiple Command Injection vulnerabilities allow attackers to execute arbitrary system commands. CVSSv3.1 9.8 (CRITICAL)
CVE-2016-6500 — Forgerock Racf_connector: Unspecified methods in the RACF Connector component before 1.1.1.0 in ForgeRock OpenIDM and OpenICF
Unspecified methods in the RACF Connector component before 1.1.1.0 in ForgeRock OpenIDM and OpenICF improperly call the SearchControls constructor with returnObjFlag set to true, which allows remote attackers to execute arbitrary code via a crafted serialized Java object, aka LDAP entry poisoning. CVSSv3.1 8.1 (HIGH)
CVE-2017-2768 — Emc Smarts_network_configuration_manager: Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network
EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains an Improper Authentication vulnerability that could potentially be exploited by malicious users to compromise the affected system. CVSSv3.1 9.8 (CRITICAL)
CVE-2017-2767 — Emc Smarts_network_configuration_manager: Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network
EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contains a Java RMI Remote Code Execution vulnerability that could potentially be exploited by malicious users to compromise the affected system. CVSSv3.1 9.8 (CRITICAL)