News aggregator

CVE-2015-3249

National Vulnerability Database - Mon, 10/30/2017 - 10:29
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function.
Categories: Security News

CVE-2015-7549

National Vulnerability Database - Mon, 10/30/2017 - 10:29
The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.
Categories: Security News

CVE-2016-3090

National Vulnerability Database - Mon, 10/30/2017 - 10:29
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling.
Categories: Security News

CVE-2017-12460

National Vulnerability Database - Mon, 10/30/2017 - 10:29
Unspecified vulnerability in Barco ClickShare CSM-1 firmware before v1.7.0.3 and CSC-1 firmware before v1.10.0.10 has unknown impact and attack vectors.
Categories: Security News

CVE-2017-15597

National Vulnerability Database - Mon, 10/30/2017 - 10:29
An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out.
Categories: Security News

CVE-2017-7411

National Vulnerability Database - Mon, 10/30/2017 - 10:29
An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution).
Categories: Security News

CVE-2017-9377

National Vulnerability Database - Mon, 10/30/2017 - 10:29
A command injection was identified on Barco ClickShare Base Unit devices with CSM-1 firmware before 1.7.0.3 and CSC-1 firmware before 1.10.0.10. An attacker with access to the product's web API can exploit this vulnerability to completely compromise the vulnerable device.
Categories: Security News

CVE-2017-9450

National Vulnerability Database - Mon, 10/30/2017 - 10:29
The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the ability to create files in an unspecified directory.
Categories: Security News

Pages