CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In August 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1201 CVE-2016-8739 611 2017-08-10 2021-06-16
7.8
None Remote Low Not required Complete None None
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
1202 CVE-2016-7976 20 Exec Code 2017-08-07 2017-11-04
6.8
None Remote Medium Not required Partial Partial Partial
The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams.
1203 CVE-2016-7845 264 2017-08-02 2017-08-04
5.5
None Remote Low ??? Partial None Partial
GigaCC OFFICE ver.2.3 and earlier allows remote attackers to upload arbitrary files as a user profile image, which may be exploited for unauthorized file sharing.
1204 CVE-2016-7844 78 Exec Code 2017-08-02 2017-08-04
6.0
None Remote Medium ??? Partial Partial Partial
GigaCC OFFICE ver.2.3 and earlier allows remote attackers to execute arbitrary OS commands via specially crafted mail template.
1205 CVE-2016-7812 310 2017-08-02 2017-08-07
4.3
None Remote Medium Not required Partial None None
The Bank of Tokyo-Mitsubishi UFJ, Ltd. App for Android ver5.3.1, ver5.2.2 and earlier allow a man-in-the-middle attacker to downgrade the communication between the app and the server from TLS v1.2 to SSL v3.0, which may result in the attacker to eavesdrop on an encrypted communication.
1206 CVE-2016-7030 255 DoS 2017-08-28 2018-01-05
5.0
None Remote Low Not required None None Partial
FreeIPA uses a default password policy that locks an account after 5 unsuccessful authentication attempts, which allows remote attackers to cause a denial of service by locking out the account in which system services run on.
1207 CVE-2016-6817 119 DoS Overflow 2017-08-10 2019-04-15
5.0
None Remote Low Not required None None Partial
The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.
1208 CVE-2016-6812 79 XSS 2017-08-10 2021-06-16
4.3
None Remote Medium Not required None Partial None
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
1209 CVE-2016-6800 79 Exec Code XSS 2017-08-30 2019-10-16
4.3
None Remote Medium Not required None Partial None
The default configuration of the Apache OFBiz framework offers a blog functionality. Different users are able to operate blogs which are related to specific parties. In the form field for the creation of new blog articles the user input of the summary field as well as the article field is not properly sanitized. It is possible to inject arbitrary JavaScript code in these form fields. This code gets executed from the browser of every user who is visiting this article. Mitigation: Upgrade to Apache OFBiz 16.11.01.
1210 CVE-2016-6797 284 2017-08-10 2021-10-20
5.0
None Remote Low Not required Partial None None
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
1211 CVE-2016-6796 254 Bypass 2017-08-11 2021-10-20
5.0
None Remote Low Not required None Partial None
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
1212 CVE-2016-6794 200 Bypass +Info 2017-08-10 2021-10-20
5.0
None Remote Low Not required Partial None None
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
1213 CVE-2016-6311 200 +Info 2017-08-22 2017-12-15
5.0
None Remote Low Not required Partial None None
Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers.
1214 CVE-2016-6310 200 +Info 2017-08-22 2017-08-30
2.1
None Local Low Not required Partial None None
oVirt Engine discloses the ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD in /var/log/ovirt-engine/engine.log file in RHEV before 4.0.
1215 CVE-2016-6220 200 +Info 2017-08-07 2021-08-25
5.0
None Remote Low Not required Partial None None
Information Disclosure vulnerability in the Dashboard and Error Pages in Trend Micro Control Manager SP3 6.0.
1216 CVE-2016-6121 79 XSS 2017-08-09 2017-08-20
3.5
None Remote Medium ??? None Partial None
IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118383.
1217 CVE-2016-6029 200 +Info 2017-08-14 2017-08-20
4.3
None Remote Medium Not required Partial None None
IBM Emptoris Strategic Supply Management Platform 10.0 and 10.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 116881.
1218 CVE-2016-6021 79 XSS 2017-08-14 2017-08-20
3.5
None Remote Medium ??? None Partial None
IBM Emptoris Strategic Supply Management Platform 10.0 and 10.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 116755.
1219 CVE-2016-5872 20 2017-08-18 2017-08-22
10.0
None Remote Low Not required Complete Complete Complete
In all Qualcomm products with Android releases from CAF using the Linux kernel, arguments to several QTEE syscalls are not properly validated.
1220 CVE-2016-5871 119 Overflow 2017-08-18 2017-08-23
10.0
None Remote Low Not required Complete Complete Complete
In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow to buffer overflow vulnerability exists when loading an image file.
1221 CVE-2016-5867 264 Overflow 2017-08-16 2017-08-20
7.6
None Remote High Not required Complete Complete Complete
In a sound driver in Android for MSM, Firefox OS for MSM, QRD Android, some variables are from userspace and values can be chosen that could result in stack overflow.
1222 CVE-2016-5864 264 Overflow 2017-08-16 2017-08-20
9.3
None Remote Medium Not required Complete Complete Complete
In an audio driver function in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, some parameters are from userspace, and if they are set to a large value, integer overflow is possible followed by buffer overflow. In another function, a missing check for a lower bound may result in an out of bounds memory access.
1223 CVE-2016-5863 264 2017-08-16 2017-08-20
9.3
None Remote Medium Not required Complete Complete Complete
In an ioctl handler in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, several sanity checks are missing which can lead to out-of-bounds accesses.
1224 CVE-2016-5862 264 2017-08-16 2017-08-20
7.6
None Remote High Not required Complete Complete Complete
When a control related to codec is issued from userspace in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, the type casting is done to the container structure instead of the codec's individual structure, resulting in a device restart after kernel crash occurs.
1225 CVE-2016-5861 264 Overflow 2017-08-16 2017-08-20
8.3
None Local Network Low Not required Complete Complete Complete
In a display driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, a variable controlled by userspace is used to calculate offsets and sizes for copy operations, which could result in heap overflow.
1226 CVE-2016-5860 264 Overflow 2017-08-16 2017-08-20
7.6
None Remote High Not required Complete Complete Complete
In an audio driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, if a function is called with a very large length, an integer overflow could occur followed by a heap buffer overflow.
1227 CVE-2016-5859 264 Overflow 2017-08-16 2017-08-18
7.6
None Remote High Not required Complete Complete Complete
In a sound driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, if a function is called with a very large length, an integer overflow could occur followed by a buffer overflow.
1228 CVE-2016-5858 200 +Info 2017-08-16 2017-08-18
2.6
None Remote High Not required Partial None None
In an ioctl handler in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, if a user supplies a value too large, then an out-of-bounds read occurs.
1229 CVE-2016-5855 200 +Info 2017-08-16 2017-08-18
2.6
None Remote High Not required Partial None None
In a driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, a user-supplied buffer is casted to a structure without checking if the source buffer is large enough.
1230 CVE-2016-5854 200 +Info 2017-08-16 2017-08-18
2.6
None Remote High Not required Partial None None
In a driver in all Qualcomm products with Android for MSM, Firefox OS for MSM, or QRD Android, kernel heap memory can be exposed to userspace.
1231 CVE-2016-5853 264 Exec Code 2017-08-16 2017-09-29
7.6
None Remote High Not required Complete Complete Complete
In an audio driver in all Qualcomm products with Android releases from CAF using the Linux kernel, when a sanity check encounters a length value not in the correct range, an error message is printed, but code execution continues in the same way as for a correct length value.
1232 CVE-2016-5816 798 2017-08-25 2017-08-30
5.0
None Remote Low Not required Partial None None
A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any other source.
1233 CVE-2016-5795 611 Exec Code 2017-08-31 2021-07-27
7.5
None Remote Low Not required Partial Partial Partial
An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
1234 CVE-2016-5716 134 Exec Code 2017-08-09 2019-07-10
6.5
None Remote Low ??? Partial Partial Partial
The console in Puppet Enterprise 2015.x and 2016.x prior to 2016.4.0 includes unsafe string reads that potentially allows for remote code execution on the console node.
1235 CVE-2016-5347 200 +Info 2017-08-16 2017-08-18
2.6
None Remote High Not required Partial None None
In all Qualcomm products with Android releases from CAF using the Linux kernel, kernel stack data can be leaked to userspace by an audio driver.
1236 CVE-2016-5018 254 Bypass 2017-08-10 2021-10-20
5.0
None Remote Low Not required None Partial None
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
1237 CVE-2016-5001 200 +Info 2017-08-30 2021-07-03
2.1
None Local Low Not required Partial None None
This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
1238 CVE-2016-4462 20 Exec Code 2017-08-30 2017-09-12
6.5
None Remote Low ??? Partial Partial Partial
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
1239 CVE-2016-4460 287 Bypass 2017-08-22 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication.
1240 CVE-2016-4456 20 2017-08-08 2020-06-16
5.0
None Remote Low Not required None Partial None
The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem.
1241 CVE-2016-3113 79 XSS 2017-08-07 2020-02-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in ovirt-engine allows remote attackers to inject arbitrary web script or HTML.
1242 CVE-2016-2980 74 2017-08-29 2017-09-02
6.8
None Remote Medium Not required Partial Partial Partial
The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exploiting a vulnerability in the way that the WebPlayer works. IBM X-Force ID: 113993.
1243 CVE-2016-2979 79 XSS 2017-08-29 2017-09-07
3.5
None Remote Medium ??? None Partial None
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113945.
1244 CVE-2016-2978 200 +Info 2017-08-29 2017-09-03
2.1
None Local Low Not required Partial None None
IBM Sametime 8.5.2 and 9.0 could store potentially sensitive information from the browser cache locally that could be available to a local user. IBM X-Force ID: 113938.
1245 CVE-2016-2977 20 2017-08-29 2017-09-07
4.0
None Remote Low ??? None Partial None
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user to lower other users hands in the meeting. IBM X-Force ID: 113937.
1246 CVE-2016-2976 200 +Info 2017-08-29 2017-09-03
4.0
None Remote Low ??? Partial None None
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting invitee to obtain previously cleared sensitive information by viewing the meeting report history. IBM X-Force ID: 113936.
1247 CVE-2016-2975 79 XSS 2017-08-29 2017-09-03
3.5
None Remote Medium ??? None Partial None
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113935.
1248 CVE-2016-2974 200 +Info 2017-08-29 2017-09-01
2.1
None Local Low Not required Partial None None
IBM Sametime Connect 8.5.2 and 9.0, after uninstalling the Sametime Rich Client, could disclose potentially sensitive information related to the Sametime environment as well as other users on the local machine of the user. IBM X-Force ID: 113934.
1249 CVE-2016-2973 79 XSS 2017-08-29 2017-09-07
3.5
None Remote Medium ??? None Partial None
IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113899.
1250 CVE-2016-2972 255 2017-08-29 2017-09-07
2.1
None Local Low Not required Partial None None
IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of the Sametime Meetings user in the local cache of their browser which could be accessed by a local user. IBM X-Force ID: 113855.
Total number of vulnerabilities : 1542   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 (This Page)26 27 28 29 30 31
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.