CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1001 CVE-2016-0218 79 XSS 2017-02-01 2017-04-06
3.5
None Remote Medium ??? None Partial None
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
1002 CVE-2016-0217 79 XSS 2017-02-01 2019-09-30
3.5
None Remote Medium ??? None Partial None
IBM Cognos Business Intelligence and IBM Cognos Analytics are vulnerable to stored cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
1003 CVE-2016-0214 284 2017-02-08 2017-02-15
6.8
None Remote Medium Not required Partial Partial Partial
IBM Tivoli Endpoint Manager could allow a remote attacker to upload arbitrary files. A remote attacker could exploit this vulnerability to upload a malicious file. The only way that file would be executed would be through a phishing attack to trick an unsuspecting victim to execute the file.
1004 CVE-2016-0210 200 +Info 2017-02-08 2017-02-15
5.0
None Remote Low Not required Partial None None
IBM Sterling B2B Integrator Standard Edition could allow a remote attacker to obtain sensitive information. By allowing HTTP OPTIONS method, a remote attacker could send a specially-crafted query to a vulnerable server running to cause the server to disclose sensitive information in the HTTP response.
1005 CVE-2016-0206 20 2017-02-08 2017-02-15
2.1
None Local Low Not required None None Partial
IBM Cloud Orchestrator could allow a local authenticated attacker to cause the server to slow down for a short period of time by using a specially crafted and malformed URL.
1006 CVE-2016-0203 200 +Info 2017-02-08 2017-02-15
2.1
None Local Low Not required Partial None None
A vulnerability has been identified in the IBM Cloud Orchestrator task API. The task API might allow an authenticated user to view background information associated with actions performed on virtual machines in projects where the user belongs to.
1007 CVE-2016-0202 200 +Info 2017-02-08 2017-02-15
2.1
None Local Low Not required Partial None None
A vulnerability has been identified in tasks, backend object generated for handling any action performed by the application in IBM Cloud Orchestrator. It is possible for an authenticated user to view any task of the current users domain.
1008 CVE-2015-8979 119 DoS Overflow 2017-02-15 2017-02-23
5.0
None Remote Low Not required None None Partial
Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a long string sent to TCP port 4242.
1009 CVE-2015-8936 79 XSS 2017-02-09 2017-02-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in squidGuard.cgi in squidGuard before 1.5 allows remote attackers to inject arbitrary web script or HTML via a blocked site link.
1010 CVE-2015-8903 835 DoS 2017-02-27 2020-07-31
4.3
None Remote Medium Not required None None Partial
The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted VICAR file.
1011 CVE-2015-8902 835 DoS 2017-02-27 2020-07-31
4.3
None Remote Medium Not required None None Partial
The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted PDB file.
1012 CVE-2015-8901 835 DoS 2017-02-27 2020-07-31
4.3
None Remote Medium Not required None None Partial
ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted MIFF file.
1013 CVE-2015-8900 835 DoS 2017-02-27 2020-07-31
4.3
None Remote Medium Not required None None Partial
The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and 7.x allows remote attackers to cause a denial of service (infinite loop) via a crafted HDR file.
1014 CVE-2015-8832 284 Exec Code 2017-02-09 2017-03-02
6.5
None Remote Low ??? Partial Partial Partial
Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with "manage their own media items" and "manage their own entries and comments" permissions to execute arbitrary PHP code by uploading a file with a (1) .pht, (2) .phps, or (3) .phtml extension.
1015 CVE-2015-8831 79 XSS 2017-02-09 2017-03-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin/comments.php in Dotclear before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the author name in a comment.
1016 CVE-2015-8771 94 Exec Code 2017-02-13 2017-03-02
7.5
None Remote Low Not required Partial Partial Partial
The generate_smb_nt_hash function in include/functions.inc in GOsa allows remote attackers to execute arbitrary commands via a crafted password.
1017 CVE-2015-8768 264 +Priv 2017-02-13 2017-10-03
7.5
None Remote Low Not required Partial Partial Partial
click/install.py in click does not require files in package filesystem tarballs to start with ./ (dot slash), which allows remote attackers to install an alternate security policy and gain privileges via a crafted package, as demonstrated by the test.mmrow app for Ubuntu phone.
1018 CVE-2015-8750 476 DoS 2017-02-13 2022-03-01
4.3
None Remote Medium Not required None None Partial
libdwarf 20151114 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a debug_abbrev section marked NOBITS in an ELF file.
1019 CVE-2015-8608 125 DoS Exec Code 2017-02-07 2020-07-15
7.5
None Remote Low Not required Partial Partial Partial
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive letter or (2) pInName argument.
1020 CVE-2015-8544 200 +Info 2017-02-07 2017-11-16
5.0
None Remote Low Not required Partial None None
NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors.
1021 CVE-2015-8322 Exec Code 2017-02-07 2017-11-16
6.5
None Remote Low ??? Partial Partial Partial
NetApp OnCommand System Manager 8.3.x before 8.3.2 allows remote authenticated users to execute arbitrary code via unspecified vectors.
1022 CVE-2015-7599 190 DoS Exec Code Overflow 2017-02-07 2017-11-16
9.3
None Remote Medium Not required Complete Complete Complete
Integer overflow in the _authenticate function in svc_auth.c in Wind River VxWorks 5.5 through 6.9.4.1, when the Remote Procedure Call (RPC) protocol is enabled, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a username and password.
1023 CVE-2015-7494 284 2017-02-08 2017-02-14
1.7
None Local Low ??? None Partial None
A vulnerability has been identified in IBM Cloud Orchestrator services/[action]/launch API. An authenticated domain admin user might modify cross domain resources via a /services/[action]/launch API call, provided it would have been possible for the domain admin user to gain access to a resource identifier of the other domain.
1024 CVE-2015-7493 200 Exec Code +Info 2017-02-08 2017-02-13
1.9
None Local Medium Not required Partial None None
IBM InfoSphere Information Server could allow a local user under special circumstances to execute commands during installation processes that could expose sensitive information.
1025 CVE-2015-7418 200 +Info 2017-02-08 2017-02-14
2.1
None Local Low Not required Partial None None
IBM WebSphere eXtreme Scale and the WebSphere DataPower XC10 Appliance allow some sensitive data to linger in memory instead of being overwritten which could allow a local user with administrator privileges to obtain sensitive information.
1026 CVE-2015-6024 77 Exec Code 2017-02-09 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the DIA_IPADDRESS parameter.
1027 CVE-2015-6023 284 Exec Code Bypass 2017-02-09 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
ping.cgi in NetCommWireless HSPA 3G10WVE wireless routers with firmware before 3G10WVE-L101-S306ETS-C01_R05 allows remote attackers to bypass intended access restrictions via a direct request. NOTE: this issue can be combined with CVE-2015-6024 to execute arbitrary commands.
1028 CVE-2015-5677 200 +Info 2017-02-07 2017-09-10
2.1
None Local Low Not required Partial None None
bsnmpd, as used in FreeBSD 9.3, 10.1, and 10.2, uses world-readable permissions on the snmpd.config file, which allows local users to obtain the secret key for USM authentication by reading the file.
1029 CVE-2015-5013 522 2017-02-08 2021-11-09
2.1
None Local Low Not required Partial None None
The IBM Security Access Manager appliance includes configuration files that contain obfuscated plaintext-passwords which authenticated users can access.
1030 CVE-2015-4057 200 +Info 2017-02-21 2021-09-09
5.0
None Remote Low Not required Partial None None
The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations before 2.6.5 sends a cleartext HTTP response upon a request for the Settings screen, which allows remote attackers to discover the admin user password by sniffing the network.
1031 CVE-2015-4056 310 2017-02-21 2021-09-09
2.1
None Local Low Not required Partial None None
The System Library in VCE Vision Intelligent Operations before 2.6.5 does not properly implement cryptography, which makes it easier for local users to discover credentials by leveraging administrative access.
1032 CVE-2015-4049 119 DoS Overflow Mem. Corr. 2017-02-03 2017-03-14
5.6
None Remote High ??? None Partial Complete
Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with MCP-FIRMWARE 40.0 before 40.0IC4 Build 270 might allow remote authenticated users to cause a denial of service (data corruption or system crash) via vectors related to using program operators during EPSILON (level 5) based codefiles at peak memory usage, which triggers CPM stack corruption.
1033 CVE-2015-2794 264 2017-02-06 2017-03-02
7.5
None Remote Low Not required Partial Partial Partial
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
1034 CVE-2015-1976 284 Exec Code 2017-02-08 2019-02-04
2.1
None Local Low Not required None None Partial
IBM Security Directory Server could allow an authenticated user to execute commands into the web administration tool that would cause the tool to crash.
1035 CVE-2014-9916 79 1 XSS 2017-02-24 2020-02-24
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tribe_name or (2) tags parameter in a tribes page request to user/ or the (3) user_id or (4) fullname parameter to signup.php.
1036 CVE-2014-9914 362 DoS +Priv 2017-02-07 2017-07-25
7.2
None Local Low Not required Complete Complete Complete
Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c in the Linux kernel before 3.15.2 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging incorrect expectations about locking during multithreaded access to internal data structures for IPv4 UDP sockets.
1037 CVE-2014-9905 79 XSS 2017-02-17 2019-11-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields.
1038 CVE-2014-9760 79 XSS 2017-02-13 2020-02-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the displayLogin function in html/index.php in GOsa allows remote attackers to inject arbitrary web script or HTML via the username.
1039 CVE-2014-4677 77 Exec Code 2017-02-22 2018-05-02
7.2
None Local Low Not required Complete Complete Complete
The installPackage function in the installerHelper subcomponent in Libmacgpg in GPG Suite before 2015.06 allows local users to execute arbitrary commands with root privileges via shell metacharacters in the xmlPath argument.
1040 CVE-2013-7459 119 Exec Code Overflow 2017-02-15 2017-07-01
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
1041 CVE-2010-5328 20 DoS 2017-02-06 2017-03-29
4.9
None Local Low Not required None None Complete
include/linux/init_task.h in the Linux kernel before 2.6.35 does not prevent signals with a process group ID of zero from reaching the swapper process, which allows local users to cause a denial of service (system crash) by leveraging access to this process group.
Total number of vulnerabilities : 1041   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.