CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
851 CVE-2016-10287 264 Exec Code 2017-05-12 2017-05-19
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33784446. References: QC-CR#1112751.
852 CVE-2016-10286 264 Exec Code 2017-05-12 2017-05-19
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-35400904. References: QC-CR#1090237.
853 CVE-2016-10285 264 Exec Code 2017-05-12 2017-05-19
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33752702. References: QC-CR#1104899.
854 CVE-2016-10284 264 Exec Code 2017-05-12 2017-05-19
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32402303. References: QC-CR#2000664.
855 CVE-2016-10283 264 Exec Code 2017-05-12 2017-05-24
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-32094986. References: QC-CR#2002052.
856 CVE-2016-10282 264 Exec Code 2017-05-12 2017-05-25
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the MediaTek thermal driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-33939045. References: M-ALPS03149189.
857 CVE-2016-10281 264 Exec Code 2017-05-12 2017-05-25
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the MediaTek thermal driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-28175647. References: M-ALPS02696475.
858 CVE-2016-10280 264 Exec Code 2017-05-12 2017-05-25
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the MediaTek thermal driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-28175767. References: M-ALPS02696445.
859 CVE-2016-10277 264 Exec Code 2017-05-12 2017-09-06
9.3
None Remote Medium Not required Complete Complete Complete
An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.
860 CVE-2016-10276 264 Exec Code 2017-05-12 2017-05-19
9.3
None Remote Medium Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: N/A. Android ID: A-32952839. References: QC-CR#1094105.
861 CVE-2016-10275 264 Exec Code 2017-05-12 2017-05-19
9.3
None Remote Medium Not required Complete Complete Complete
An elevation of privilege vulnerability in the Qualcomm bootloader could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: N/A. Android ID: A-34514954. References: QC-CR#1009111.
862 CVE-2016-10274 264 Exec Code 2017-05-12 2017-05-25
9.3
None Remote Medium Not required Complete Complete Complete
An elevation of privilege vulnerability in the MediaTek touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: N/A. Android ID: A-30202412. References: M-ALPS02897901.
863 CVE-2016-10243 20 Exec Code 2017-05-02 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.
864 CVE-2016-10242 362 2017-05-16 2017-07-11
7.6
None Remote High Not required Complete Complete Complete
A time-of-check time-of-use race condition could potentially exist in the secure file system in all Android releases from CAF using the Linux kernel.
865 CVE-2016-10239 119 Overflow Bypass 2017-05-16 2017-07-11
9.3
None Remote Medium Not required Complete Complete Complete
In TrustZone access control policy may potentially be bypassed in all Android releases from CAF using the Linux kernel due to improper input validation an integer overflow vulnerability leading to a buffer overflow could potentially occur and a buffer over-read vulnerability could potentially occur.
866 CVE-2016-10238 264 Bypass 2017-05-16 2017-07-11
9.3
None Remote Medium Not required Complete Complete Complete
In QSEE in all Android releases from CAF using the Linux kernel access control may potentially be bypassed due to a page alignment issue.
867 CVE-2016-10237 284 2017-05-16 2017-07-11
9.3
None Remote Medium Not required Complete Complete Complete
If shared content protection memory were passed as the secure camera memory buffer by the HLOS to a trusted application (TA) in all Android releases from CAF using the Linux kernel, the TA would not detect an issue and it would be treated as secure memory.
868 CVE-2016-10073 200 +Info 2017-05-23 2019-07-11
5.0
None Remote Low Not required Partial None None
The from method in library/core/class.email.php in Vanilla Forums before 2.3.1 allows remote attackers to spoof the email domain in sent messages and potentially obtain sensitive information via a crafted HTTP Host header, as demonstrated by a password reset request.
869 CVE-2016-9976 284 Exec Code 2017-05-03 2017-05-12
6.8
None Remote Medium Not required Partial Partial Partial
IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-Force ID: 120252.
870 CVE-2016-9843 2017-05-23 2022-06-27
7.5
None Remote Low Not required Partial Partial Partial
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
871 CVE-2016-9842 2017-05-23 2022-06-22
6.8
None Remote Medium Not required Partial Partial Partial
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
872 CVE-2016-9841 2017-05-23 2022-06-22
7.5
None Remote Low Not required Partial Partial Partial
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
873 CVE-2016-9840 2017-05-23 2022-06-22
6.8
None Remote Medium Not required Partial Partial Partial
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
874 CVE-2016-9750 255 2017-05-15 2017-05-23
4.0
None Remote Low ??? Partial None None
IBM QRadar 7.2 and 7.3 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 120207.
875 CVE-2016-9735 200 +Info 2017-05-15 2017-05-23
4.0
None Remote Low ??? Partial None None
IBM Jazz Foundation could allow an authenticated user to obtain sensitive information from stack traces. IBM X-Force ID: 119781,
876 CVE-2016-9692 20 2017-05-05 2017-05-12
7.8
None Remote Low Not required None None Complete
IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 119516.
877 CVE-2016-9691 611 DoS 2017-05-05 2017-05-12
9.0
None Remote Low Not required Partial Partial Complete
IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.
878 CVE-2016-9257 79 XSS 2017-05-09 2017-07-08
4.3
None Remote Medium Not required None Partial None
In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user.
879 CVE-2016-9256 362 2017-05-09 2017-05-16
6.0
None Remote Medium ??? Partial Partial Partial
In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user's next request. This is a race condition that occurs rarely in normal usage; the typical period in which this is possible is limited to at most a few seconds after the permission change.
880 CVE-2016-9253 20 2017-05-09 2017-07-08
5.0
None Remote Low Not required None None Partial
In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic patterns may cause a disruption of service for virtual servers configured to use the websocket profile.
881 CVE-2016-9251 264 2017-05-09 2017-07-08
6.5
None Remote Low ??? Partial Partial Partial
In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection.
882 CVE-2016-9250 264 2017-05-10 2019-06-06
5.0
None Remote Low Not required None Partial None
In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able to delete arbitrary files through an undisclosed mechanism.
883 CVE-2016-9100 255 +Info 2017-05-11 2021-07-08
2.1
None Local Low Not required Partial None None
Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.13, ASG 6.7 prior to 6.7.3.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6 prior to 6.6.5.13, and ProxySG 6.7 prior to 6.7.3.1 are susceptible to an information disclosure vulnerability. An attacker with local access to the client host of an authenticated administrator user can, under certain circumstances, obtain sensitive authentication credential information.
884 CVE-2016-9099 601 2017-05-11 2021-07-08
5.8
None Remote Medium Not required Partial Partial None
Symantec Advanced Secure Gateway (ASG) 6.6, ASG 6.7 prior to 6.7.2.1, ProxySG 6.5 prior to 6.5.10.6, ProxySG 6.6, and ProxySG 6.7 prior to 6.7.2.1 are susceptible to an open redirection vulnerability. A remote attacker can use a crafted management console URL in a phishing attack to redirect the target user to a malicious web site.
885 CVE-2016-9097 264 2017-05-11 2021-07-08
8.0
None Remote Low ??? Partial Partial Complete
The Symantec Advanced Secure Gateway (ASG) 6.6 prior to 6.6.5.8, ProxySG 6.5 prior 6.5.10.6, ProxySG 6.6 prior to 6.6.5.8, and ProxySG 6.7 prior to 6.7.1.2 management consoles do not, under certain circumstances, correctly authorize administrator users. A malicious administrator with read-only access can exploit this vulnerability to access management console functionality that requires read-write access privileges.
886 CVE-2016-9092 352 CSRF 2017-05-11 2018-05-25
6.8
None Remote Medium Not required Partial Partial Partial
The Symantec Content Analysis (CA) 1.3, 2.x prior to 2.2.1.1, and Mail Threat Defense (MTD) 1.1 management consoles are susceptible to a cross-site request forging (CSRF) vulnerability. A remote attacker can use phishing or other social engineering techniques to access the management console with the privileges of an authenticated administrator user.
887 CVE-2016-8916 200 +Info 2017-05-05 2017-05-17
2.1
None Local Low Not required Partial None None
IBM Tivoli Storage Manager 5.5, 6.1-6.4, and 7.1 stores password information in a log file that could be read by a local user when a set password command is issued. IBM X-Force ID: 118472.
888 CVE-2016-8741 200 +Info 2017-05-15 2017-07-27
5.0
None Remote Low Not required Partial None None
The Apache Qpid Broker for Java can be configured to use different so called AuthenticationProviders to handle user authentication. Among the choices are the SCRAM-SHA-1 and SCRAM-SHA-256 AuthenticationProvider types. It was discovered that these AuthenticationProviders in Apache Qpid Broker for Java 6.0.x before 6.0.6 and 6.1.x before 6.1.1 prematurely terminate the SCRAM SASL negotiation if the provided user name does not exist thus allowing remote attacker to determine the existence of user accounts. The Vulnerability does not apply to AuthenticationProviders other than SCRAM-SHA-1 and SCRAM-SHA-256.
889 CVE-2016-8649 264 2017-05-01 2018-10-26
9.0
None Remote Low ??? Complete Complete Complete
lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls.
890 CVE-2016-8497 264 +Priv 2017-05-26 2017-06-06
10.0
None Remote Low Not required Complete Complete Complete
An escalation of privilege vulnerability in Fortinet FortiClient SSL_VPN Linux versions available with FortiOS 5.4.3 and below allows an attacker to gain root privilege via the subproc file.
891 CVE-2016-8496 77 Exec Code 2017-05-26 2017-06-08
4.4
None Local Medium Not required Partial Partial Partial
A potential execution of unauthorized code or commands vulnerability in Fortinet FortiClient SSL_VPN Linux versions available with FortiOS 5.4.2 and below allows attacker to potentially overwrite an existing file via the FortiClient log file.
892 CVE-2016-8209 754 DoS 2017-05-08 2017-07-08
5.0
None Remote Low Not required None None Partial
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.
893 CVE-2016-8202 264 +Priv 2017-05-08 2021-06-22
9.0
None Remote Low ??? Complete Complete Complete
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected versions, non-root users can gain root access with a combination of shell commands and parameters.
894 CVE-2016-7979 704 Exec Code Bypass 2017-05-23 2018-01-05
7.5
None Remote Low Not required Partial Partial Partial
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently execute arbitrary code by leveraging type confusion in .initialize_dsc_parser.
895 CVE-2016-7978 416 Exec Code 2017-05-23 2018-01-05
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in Ghostscript 9.20 might allow remote attackers to execute arbitrary code via vectors related to a reference leak in .setdevice.
896 CVE-2016-7977 200 Bypass +Info 2017-05-23 2018-01-18
4.3
None Remote Medium Not required Partial None None
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document.
897 CVE-2016-7804 426 +Priv 2017-05-22 2017-06-01
6.8
None Remote Medium Not required Partial Partial Partial
Untrusted search path vulnerability in 7 Zip for Windows 16.02 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
898 CVE-2016-7476 20 DoS 2017-05-11 2019-06-06
5.0
None Remote Low Not required None None Partial
The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, APM, ASM, GTM, Link Controller, PEM, PSM, and WebSafe 11.6.0 before 11.6.0 HF6, 11.5.0 before 11.5.3 HF2, and 11.3.0 before 11.4.1 HF10 may suffer from a memory leak while handling certain types of TCP traffic. Remote attackers may cause a denial of service (DoS) by way of a crafted TCP packet.
899 CVE-2016-7055 320 2017-05-04 2019-07-02
2.6
None Remote High Not required None None Partial
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
900 CVE-2016-7054 284 2017-05-04 2017-09-03
5.0
None Remote Low Not required None None Partial
In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.
Total number of vulnerabilities : 1015   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 (This Page)19 20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.