2017-02-01
2017-02-01 19:59Z
CRIT

CVE-2017-3791 — Cisco Cisco_prime_home: A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-3791

A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges. The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication. An exploit could allow the attacker to perform any actions in Cisco Prime H CVSSv3.1 10.0 (CRITICAL)

CWECWE 287VNDCiscoTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2017-02-01
2017-02-01 19:59Z
HIGH

CVE-2017-3790 — Cisco Expressway: A vulnerability in the received packet parser of Cisco Expressway Series and Cisco TelePresence

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-3790

A vulnerability in the received packet parser of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) software could allow an unauthenticated, remote attacker to cause a reload of the affected system, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient size validation of user-supplied data. An attacker could exploit this vulnerability by sending crafted H.224 data in Real-Time Transport Protocol (RTP) packets i CVSSv3.1 8.6 (HIGH)

CWECWE 20CWECWE 119CWECWE 399VNDCiscoTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2017-02-01
2017-02-01 19:59Z
HIGH

CVE-2016-9225 — Cisco Asa_cx_context-aware_security_software: A vulnerability in the data plane IP fragment handler of the Cisco Adaptive Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9225

A vulnerability in the data plane IP fragment handler of the Cisco Adaptive Security Appliance (ASA) CX Context-Aware Security module could allow an unauthenticated, remote attacker to cause the CX module to be unable to process further traffic, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of IP fragments. An attacker could exploit this vulnerability by sending crafted fragmented IP traffic across the CX module. An exploit co CVSSv3.1 8.6 (HIGH)

CWECWE 399VNDCiscoTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2017-02-01
2017-02-01 17:59Z
CRIT

CVE-2016-8491 — Fortinet Fortiwlc: The presence of a hardcoded account named 'core' in Fortinet FortiWLC allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-8491

The presence of a hardcoded account named 'core' in Fortinet FortiWLC allows attackers to gain unauthorized read/write access via a remote shell. CVSSv3.1 9.1 (CRITICAL)

CWECWE 798VNDFortinetTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2017-02-01
2017-02-01 15:59Z
CRIT

CVE-2016-10164 — X.org Libxpm: Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10164

Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions on a 64-bit platform, allow remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via (1) the number of extensions or (2) their concatenated length in a crafted XPM file, which triggers a heap-based buffer overflow. CVSSv3.1 9.8 (CRITICAL)

CWECWE 787CWECWE 190CWECWE 119VNDX OrgTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-02-01
2017-02-01 11:59Z
HIGH

CVE-2017-3823 — Cisco Activetouch_general_plugin_container: A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-3823

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plugin before 10031.6.2017.0126 on Internet Explorer, and the Download Manager ActiveX control plugin before 2.1.0.10 on Internet Explorer. A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privil CVSSv3.1 8.8 (HIGH)

CWECWE 119VNDCiscoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-01-31
2017-01-31 22:59Z
CRIT

CVE-2016-9420 — Mybb Merge_system: (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9420

MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives." CVSSv3.1 9.8 (CRITICAL)

CWECWE 20VNDMybbTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2017-01-31
2017-01-31 22:59Z
CRIT

CVE-2016-9416 — Mybb Merge_system: SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9416

SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDMybbTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-31
2017-01-31 22:59Z
CRIT

CVE-2016-9412 — Mybb Merge_system: (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9412

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. CVSSv3.1 9.8 (CRITICAL)

CWECWE 284VNDMybbTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-31
2017-01-31 22:59Z
CRIT

CVE-2016-9403 — Mybb Merge_system: newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9403

newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check. CVSSv3.1 9.8 (CRITICAL)

CWECWE 264VNDMybbTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-31
2017-01-31 22:59Z
CRIT

CVE-2016-9402 — Mybb Merge_system: SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9402

SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDMybbTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-31
2017-01-31 22:59Z
CRIT

CVE-2015-8974 — Mybb Merge_system: SQL injection vulnerability in the Group Promotions module in the admin control panel in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8974

SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVSSv3.1 10.0 (CRITICAL)

CWECWE 89VNDMybbTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2017-01-31
2017-01-31 22:59Z
HIGH

CVE-2015-8973 — Mybb Merge_system: xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-8973

xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password. CVSSv3.1 8.3 (HIGH)

CWECWE 284VNDMybbTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2017-01-31
2017-01-31 19:59Z
HIGH

CVE-2016-6621 — Phpmyadmin Phpmyadmin: The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-6621

The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors. CVSSv3.1 8.6 (HIGH)

CWECWE 918VNDPhpmyadminTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2017-01-31
2017-01-31 18:59Z
CRIT

CVE-2016-10043 — Mrf Web_panel: The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10043

An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands and retrieve the output in the application's responses. Attackers could execute unauthorized commands, which could then be used to disable the software, or read, write, and modify data for which the attacker does not have per CVSSv3.1 10.0 (CRITICAL)

CWECWE 78VNDMrfVNDRadisysTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2017-01-30
2017-01-30 22:59Z
CRIT

CVE-2016-9132 — Botan_project Botan: In Botan 1.8.0 through 1.11.33, when decoding BER data an integer overflow could occur

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-9132

In Botan 1.8.0 through 1.11.33, when decoding BER data an integer overflow could occur, which would cause an incorrect length field to be computed. Some API callers may use the returned (incorrect and attacker controlled) length field in a way which later causes memory corruption or other failure. CVSSv3.1 9.8 (CRITICAL)

CWECWE 190VNDBotan ProjectVNDBotanTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-30
2017-01-30 22:59Z
CRIT

CVE-2016-6604 — Samsung Exynos_fimg2d: NULL pointer dereference in Samsung Exynos fimg2d driver for Android L(5.0/5.1) and M(6.0) allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-6604

NULL pointer dereference in Samsung Exynos fimg2d driver for Android L(5.0/5.1) and M(6.0) allows attackers to have unspecified impact via unknown vectors. The Samsung ID is SVE-2016-6382. CVSSv3.1 9.8 (CRITICAL)

CWECWE 476VNDSamsungVNDNullTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-30
2017-01-30 22:59Z
HIGH

CVE-2016-6270 — Trendmicro Virtual_mobile_infrastructure: The handle_certificate function in /vmi/manager/engine/management/commands/apns_worker.py in Trend Micro Virtual Mobile Infrastructure before

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-6270

The handle_certificate function in /vmi/manager/engine/management/commands/apns_worker.py in Trend Micro Virtual Mobile Infrastructure before 5.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the password to api/v1/cfg/oauth/save_identify_pfx/. CVSSv3.1 8.8 (HIGH)

CWECWE 77VNDTrendmicroTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-01-30
2017-01-30 22:59Z
CRIT

CVE-2016-6269 — Trendmicro Smart_protection_server: Multiple directory traversal vulnerabilities in Trend Micro Smart Protection Server 2.5 before build 2200

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-6269

Multiple directory traversal vulnerabilities in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allow remote attackers to read and delete arbitrary files via the tmpfname parameter to (1) log_mgt_adhocquery_ajaxhandler.php, (2) log_mgt_ajaxhandler.php, (3) log_mgt_ajaxhandler.php or (4) tf parameter to wcs_bwlists_handler.php. CVSSv3.1 9.1 (CRITICAL)

CWECWE 22VNDTrendmicroVNDTrendTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2017-01-30
2017-01-30 22:59Z
HIGH

CVE-2016-6267 — Trendmicro Smart_protection_server: SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-6267

SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) spare_Community, (2) spare_AllowGroupIP, or (3) spare_AllowGroupNetmask parameter to admin_notification.php. CVSSv3.1 8.8 (HIGH)

CWECWE 20VNDTrendmicroVNDSnmputilsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-01-30
2017-01-30 22:59Z
HIGH

CVE-2016-6266 — Trendmicro Smart_protection_server: ccca_ajaxhandler.php in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-6266

ccca_ajaxhandler.php in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) host or (2) apikey parameter in a register action, (3) enable parameter in a save_stting action, or (4) host or (5) apikey parameter in a test_connection action. CVSSv3.1 8.8 (HIGH)

CWECWE 20VNDTrendmicroVNDTrendTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-01-30
2017-01-30 22:59Z
HIGH

CVE-2015-2181 — Roundcube Webmail: Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-2181

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. CVSSv3.1 8.8 (HIGH)

CWECWE 119VNDRoundcubeVNDDbmailTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-01-30
2017-01-30 22:59Z
HIGH

CVE-2015-2180 — Roundcube Webmail: The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2015-2180

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. CVSSv3.1 8.8 (HIGH)

CWECWE 74VNDRoundcubeVNDDbmailTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2017-01-30
2017-01-30 04:59Z
CRIT

CVE-2017-5611 — Wordpress Wordpress: SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2017-5611

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDOracleVNDWordpressTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2017-01-30
2017-01-30 04:59Z
CRIT

CVE-2016-10182 — Dlink Dwr-932b_firmware: qmiweb allows command injection with ` characters.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-10182

An issue was discovered on the D-Link DWR-932B router. qmiweb allows command injection with ` characters. CVSSv3.1 9.8 (CRITICAL)

CWECWE 77VNDDlinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score