News aggregator

CVE-2017-9096

National Vulnerability Database - Wed, 11/08/2017 - 11:29
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Categories: Security News

CVE-2017-12824

National Vulnerability Database - Wed, 11/08/2017 - 09:29
Special crafted InPage document leads to arbitrary code execution in InPage reader.
Categories: Security News

CVE-2017-14360

National Vulnerability Database - Wed, 11/08/2017 - 09:29
A potential security vulnerability has been identified in HPE Content Manager Workgroup Service v9.00. The vulnerability could be remotely exploited to allow Denial of Service (DoS).
Categories: Security News

CVE-2017-16663

National Vulnerability Database - Wed, 11/08/2017 - 01:29
In sam2p 0.49.4, there are integer overflows (with resultant heap-based buffer overflows) in input-bmp.ci in the function ReadImage, because "width * height" multiplications occur unsafely.
Categories: Security News

CVE-2017-16659

National Vulnerability Database - Wed, 11/08/2017 - 00:29
The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows local users to gain privileges by leveraging access to the assp user account to install a Trojan horse /usr/share/assp/assp.pl script.
Categories: Security News

CVE-2017-16660

National Vulnerability Database - Wed, 11/08/2017 - 00:29
Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP code in a Client-ip header.
Categories: Security News

CVE-2017-16661

National Vulnerability Database - Wed, 11/08/2017 - 00:29
Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by filename=passwd (with a Log Path under /etc) to read /etc/passwd.
Categories: Security News

Vuln: Apache Tomcat CVE-2017-5648 Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Wed, 11/08/2017 - 00:00
Apache Tomcat CVE-2017-5648 Information Disclosure Vulnerability
Categories: Security News

Vuln: Apache Tomcat CVE-2017-12617 Incomplete Fix Remote Code Execution Vulnerability

SecurityFocus Vulnerabilities - Wed, 11/08/2017 - 00:00
Apache Tomcat CVE-2017-12617 Incomplete Fix Remote Code Execution Vulnerability
Categories: Security News

Vuln: Apache Tomcat CVE-2017-12616 Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Wed, 11/08/2017 - 00:00
Apache Tomcat CVE-2017-12616 Information Disclosure Vulnerability
Categories: Security News

CVE-2017-16615

National Vulnerability Database - Tue, 11/07/2017 - 22:29
An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Categories: Security News

CVE-2017-16616

National Vulnerability Database - Tue, 11/07/2017 - 22:29
An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. A YAML parser can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Categories: Security News

CVE-2017-16618

National Vulnerability Database - Tue, 11/07/2017 - 22:29
An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A "Load YAML" string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load is used where safe_load should have been used. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Categories: Security News

CVE-2017-16643

National Vulnerability Database - Tue, 11/07/2017 - 18:29
The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
Categories: Security News

CVE-2017-16644

National Vulnerability Database - Tue, 11/07/2017 - 18:29
The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device.
Categories: Security News

CVE-2017-16645

National Vulnerability Database - Tue, 11/07/2017 - 18:29
The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
Categories: Security News

CVE-2017-16646

National Vulnerability Database - Tue, 11/07/2017 - 18:29
drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device.
Categories: Security News

CVE-2017-16647

National Vulnerability Database - Tue, 11/07/2017 - 18:29
drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.
Categories: Security News

CVE-2017-16648

National Vulnerability Database - Tue, 11/07/2017 - 18:29
The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. NOTE: the function was later renamed __dvb_frontend_free.
Categories: Security News

CVE-2017-16649

National Vulnerability Database - Tue, 11/07/2017 - 18:29
The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.
Categories: Security News

Pages