Total
7102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-5270 | 2 Debian, Gnupg | 2 Debian Linux, Libgcrypt | 2017-11-04 | 2.1 LOW | N/A |
| Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. | |||||
| CVE-2017-9605 | 1 Linux | 1 Linux Kernel | 2017-11-04 | 4.9 MEDIUM | 5.5 MEDIUM |
| The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface, with a previously allocated DMA buffer to be used as a backup buffer, the backup_handle variable does not get written to and is then later returned to user space, allowing local users to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. | |||||
| CVE-2016-8405 | 1 Linux | 1 Linux Kernel | 2017-11-04 | 4.3 MEDIUM | 4.7 MEDIUM |
| An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-31651010. | |||||
| CVE-2017-12849 | 1 Silverstripe | 1 Silverstripe | 2017-11-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Response discrepancy in the login and password reset forms in SilverStripe CMS before 3.5.5 and 3.6.x before 3.6.1 allows remote attackers to enumerate users via timing attacks. | |||||
| CVE-2017-11776 | 1 Microsoft | 1 Outlook | 2017-11-03 | 5.0 MEDIUM | 7.5 HIGH |
| Microsoft Outlook 2016 allows an attacker to obtain the email content of a user, due to how Outlook 2016 discloses user email content, aka "Microsoft Outlook Information Disclosure Vulnerability." | |||||
| CVE-2016-0287 | 2 Ibm, Microsoft | 2 I Access, Windows | 2017-11-03 | 2.1 LOW | 7.8 HIGH |
| IBM i Access 7.1 on Windows allows local users to discover registry passwords via unspecified vectors. | |||||
| CVE-2017-14971 | 1 Infocuscorp | 1 Infocus Mondopad | 2017-11-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| Infocus Mondopad 2.2.08 is vulnerable to a Hashed Credential Disclosure vulnerability. The attacker provides a crafted Microsoft Office document containing a link that has a UNC pathname associated with an attacker-controller server. In one specific scenario, the attacker provides an Excel spreadsheet, and the attacker-controller server receives the victim's NetNTLMv2 hash. | |||||
| CVE-2017-1000087 | 1 Jenkins | 1 Github Branch Source | 2017-11-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability. | |||||
| CVE-2011-4343 | 1 Apache | 1 Myfaces | 2017-11-02 | 5.0 MEDIUM | 7.5 HIGH |
| Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters. | |||||
| CVE-2017-1000099 | 1 Haxx | 1 Libcurl | 2017-11-01 | 4.3 MEDIUM | 6.5 MEDIUM |
| When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory. | |||||
| CVE-2017-1000108 | 1 Jenkins | 1 Pipeline-input-step | 2017-11-01 | 5.0 MEDIUM | 7.5 HIGH |
| The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead. | |||||
| CVE-2012-4382 | 1 Mediawiki | 1 Mediawiki | 2017-10-31 | 4.0 MEDIUM | 4.9 MEDIUM |
| MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt. | |||||
| CVE-2017-1220 | 1 Ibm | 1 Bigfix Platform | 2017-10-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 123860. | |||||
| CVE-2017-1225 | 1 Ibm | 1 Bigfix Platform | 2017-10-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 123904. | |||||
| CVE-2017-1226 | 1 Ibm | 1 Bigfix Platform | 2017-10-31 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) generates an error message in error logs that includes sensitive information about its environment which could be used in further attacks against the system. IBM X-Force ID: 123905. | |||||
| CVE-2017-1228 | 1 Ibm | 1 Bigfix Platform | 2017-10-31 | 4.3 MEDIUM | 3.7 LOW |
| IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 123907. | |||||
| CVE-2017-1230 | 1 Ibm | 1 Bigfix Platform | 2017-10-31 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. This weakness may allow attackers to expose sensitive information by guessing tokens or identifiers. IBM X-Force ID: 123909. | |||||
| CVE-2017-5223 | 1 Phpmailer Project | 1 Phpmailer | 2017-10-28 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments. To form a remote vulnerability, the msgHTML method must be called, passed an unfiltered, user-supplied HTML document, and must not set a base directory. | |||||
| CVE-2017-10197 | 1 Oracle | 1 Hospitality Opera 5 Property Services | 2017-10-27 | 2.1 LOW | 4.6 MEDIUM |
| Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: Folios). The supported version that is affected is 5.4.2.x through 5.5.1.x. Easily exploitable vulnerability allows physical access to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.0 Base Score 4.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2017-8693 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2017-10-27 | 2.1 LOW | 5.5 MEDIUM |
| The Microsoft Graphics Component on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an information disclosure vulnerability in the way it handles objects in memory, aka "Microsoft Graphics Information Disclosure Vulnerability". | |||||