| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1151 |
CVE-2016-2880 |
320 |
|
|
2017-03-01 |
2017-03-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM QRadar 7.2 stores the encryption key used to encrypt the service account password which can be obtained by a local user. IBM Reference #: 1997340. |
|
1152 |
CVE-2016-2879 |
326 |
|
|
2017-03-01 |
2017-03-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM QRadar 7.2 uses outdated hashing algorithms to hash certain passwords, which could allow a local user to obtain and decrypt user credentials. IBM Reference #: 1997341. |
|
1153 |
CVE-2016-2406 |
275 |
|
+Info |
2017-03-20 |
2017-03-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The permission control module in Huawei Document Security Management (aka DSM) before V100R002C05SPC670 allows remote authenticated users to obtain sensitive information from encrypted documents by leveraging incorrect control of permissions on the PrintScreen button. |
|
1154 |
CVE-2016-2379 |
326 |
|
|
2017-03-29 |
2017-04-10 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords. |
|
1155 |
CVE-2016-2225 |
400 |
|
DoS |
2017-03-24 |
2017-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The __read_etc_hosts_r function in libc/inet/resolv.c in uClibc-ng before 1.0.12 allows remote DNS servers to cause a denial of service (infinite loop) via a crafted packet. |
|
1156 |
CVE-2016-2224 |
400 |
|
DoS |
2017-03-24 |
2017-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The __decode_dotted function in libc/inet/resolv.c in uClibc-ng before 1.0.12 allows remote DNS servers to cause a denial of service (infinite loop) via vectors involving compressed items in a reply. |
|
1157 |
CVE-2016-1603 |
200 |
|
+Info |
2017-03-23 |
2017-03-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An information leak in the NetIQ IDM ServiceNow Driver before 1.0.0.1 could expose cryptographic attributes to logged-in users. |
|
1158 |
CVE-2016-1602 |
94 |
|
Exec Code |
2017-03-23 |
2018-10-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root). |
|
1159 |
CVE-2016-1597 |
264 |
|
|
2017-03-23 |
2017-03-24 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
A logged-in user in NetIQ Access Governance Suite 6.0 through 6.4 could escalate privileges to administrator. |
|
1160 |
CVE-2016-0770 |
79 |
|
XSS |
2017-03-16 |
2017-03-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in includes/admin/pages/manage.php in the Connections Business Directory plugin before 8.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s variable. |
|
1161 |
CVE-2015-8994 |
264 |
|
+Priv |
2017-03-02 |
2017-03-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database. |
|
1162 |
CVE-2015-8993 |
264 |
|
|
2017-03-14 |
2017-03-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Malicious file execution vulnerability in Intel Security CloudAV (Beta) before 0.5.0.151.3 allows attackers to make the product momentarily vulnerable via executing preexisting specifically crafted malware during installation or uninstallation, but not during normal operation. |
|
1163 |
CVE-2015-8992 |
264 |
|
|
2017-03-14 |
2017-03-23 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Malicious file execution vulnerability in Intel Security WebAdvisor before 4.0.2, 4.0.1 and 3.7.2 allows attackers to make the product momentarily vulnerable via executing preexisting specifically crafted malware during installation or uninstallation, but not during normal operation. |
|
1164 |
CVE-2015-8991 |
264 |
|
|
2017-03-14 |
2017-03-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Malicious file execution vulnerability in Intel Security McAfee Security Scan+ (MSS+) before 3.11.266.3 allows attackers to make the product momentarily vulnerable via executing preexisting specifically crafted malware during installation or uninstallation, but not during normal operation. |
|
1165 |
CVE-2015-8990 |
254 |
|
Bypass |
2017-03-14 |
2017-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Detection bypass vulnerability in Intel Security Advanced Threat Defense (ATD) 3.4.6 and earlier allows malware samples to bypass ATD detection via renaming the malware. |
|
1166 |
CVE-2015-8989 |
310 |
|
|
2017-03-14 |
2017-03-22 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Unsalted password vulnerability in the Enterprise Manager (web portal) component in Intel Security McAfee Vulnerability Manager (MVM) 7.5.8 and earlier allows attackers to more easily decrypt user passwords via brute force attacks against the database. |
|
1167 |
CVE-2015-8988 |
77 |
|
Exec Code |
2017-03-14 |
2017-03-23 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Unquoted executable path vulnerability in Client Management and Gateway components in McAfee (now Intel Security) ePO Deep Command (eDC) 2.2 and 2.1 allows authenticated users to execute a command of their choice via dropping a malicious file for the path. |
|
1168 |
CVE-2015-8987 |
284 |
|
|
2017-03-14 |
2017-03-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Man-in-the-middle (MitM) attack vulnerability in non-Mac OS agents in McAfee (now Intel Security) Agent (MA) 4.8.0 patch 2 and earlier allows attackers to make a McAfee Agent talk with another, possibly rogue, ePO server via McAfee Agent migration to another ePO server. |
|
1169 |
CVE-2015-8986 |
254 |
|
Bypass |
2017-03-14 |
2017-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Sandbox detection evasion vulnerability in hardware appliances in McAfee (now Intel Security) Advanced Threat Defense (MATD) 3.4.2.32 and earlier allows attackers to detect the sandbox environment, then bypass proper malware detection resulting in failure to detect a malware file (false-negative) via specially crafted malware. |
|
1170 |
CVE-2015-8985 |
19 |
|
DoS |
2017-03-20 |
2020-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing. |
|
1171 |
CVE-2015-8984 |
125 |
|
DoS |
2017-03-20 |
2017-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read. |
|
1172 |
CVE-2015-8983 |
190 |
|
DoS Exec Code Overflow |
2017-03-20 |
2017-03-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow. |
|
1173 |
CVE-2015-8982 |
190 |
|
DoS Exec Code Overflow |
2017-03-15 |
2021-06-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow. |
|
1174 |
CVE-2015-8981 |
119 |
|
Overflow |
2017-03-16 |
2017-03-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the PdfParser::ReadXRefSubsection function in base/PdfParser.cpp in PoDoFo allows attackers to have unspecified impact via vectors related to m_offsets.size. |
|
1175 |
CVE-2015-8954 |
264 |
|
Bypass |
2017-03-20 |
2017-03-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The MemcmpLowercase function in Suricata before 2.0.6 improperly excludes the first byte from comparisons, which might allow remote attackers to bypass intrusion-prevention functionality via a crafted HTTP request. |
|
1176 |
CVE-2015-8898 |
476 |
|
DoS |
2017-03-15 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The WriteImages function in magick/constitute.c in ImageMagick before 6.9.2-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image file. |
|
1177 |
CVE-2015-8897 |
125 |
|
DoS |
2017-03-15 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The SpliceImage function in MagickCore/transform.c in ImageMagick before 6.9.2-4 allows remote attackers to cause a denial of service (application crash) via a crafted png file. |
|
1178 |
CVE-2015-8896 |
|
|
DoS |
2017-03-15 |
2021-04-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer truncation issue in coders/pict.c in ImageMagick before 7.0.5-0 allows remote attackers to cause a denial of service (application crash) via a crafted .pict file. |
|
1179 |
CVE-2015-8895 |
190 |
|
DoS Overflow |
2017-03-15 |
2018-05-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and later allows remote attackers to cause a denial of service (application crash) via a crafted length value, which triggers a buffer overflow. |
|
1180 |
CVE-2015-8894 |
415 |
|
DoS |
2017-03-15 |
2017-03-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and later allows remote attackers to cause a denial of service (application crash) via a crafted tga file. |
|
1181 |
CVE-2015-8815 |
79 |
|
XSS |
2017-03-03 |
2017-03-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Umbraco before 7.4.0 allow remote attackers to inject arbitrary web script or HTML via the name parameter to (1) the media page, (2) the developer data edit page, or (3) the form page. |
|
1182 |
CVE-2015-8814 |
352 |
|
Bypass CSRF |
2017-03-03 |
2017-03-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Umbraco before 7.4.0 allows remote attackers to bypass anti-forgery security measures and conduct cross-site request forgery (CSRF) attacks as demonstrated by editing user account information in the templates.asmx.cs file. |
|
1183 |
CVE-2015-8813 |
918 |
|
|
2017-03-03 |
2017-03-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter. |
|
1184 |
CVE-2015-8764 |
119 |
|
Overflow |
2017-03-27 |
2017-03-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8, which triggers a buffer overflow. |
|
1185 |
CVE-2015-8763 |
125 |
|
|
2017-03-27 |
2017-03-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified impact via a crafted (1) commit or (2) confirm message, which triggers an out-of-bounds read. |
|
1186 |
CVE-2015-8762 |
476 |
|
DoS |
2017-03-27 |
2017-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a zero-length EAP-PWD packet. |
|
1187 |
CVE-2015-8687 |
79 |
|
XSS |
2017-03-23 |
2017-03-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Management Console in Alcatel-Lucent Motive Home Device Manager (HDM) before 4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceTypeID parameter to DeviceType/getDeviceType.do; the (2) policyActionClass or (3) policyActionName parameter to PolicyAction/findPolicyActions.do; the deviceID parameter to (4) SingleDeviceMgmt/getDevice.do or (5) device/editDevice.do; the operation parameter to (6) ajax.do or (7) xmlHttp.do; or the (8) policyAction, (9) policyClass, or (10) policyName parameter to policy/findPolicies.do. |
|
1188 |
CVE-2015-8678 |
20 |
|
DoS |
2017-03-24 |
2017-03-27 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The ION driver in Huawei P8 smartphones with software GRA-TL00 before GRA-TL00C01B230, GRA-CL00 before GRA-CL00C92B230, GRA-CL10 before GRA-CL10C92B230, GRA-UL00 before GRA-UL00C00B230, and GRA-UL10 before GRA-UL10C00B230 and Mate S smartphones with software CRR-TL00 before CRR-TL00C01B160SP01, CRR-UL00 before CRR-UL00C00B160, and CRR-CL00 before CRR-CL00C92B161 allows remote attackers to cause a denial of service (crash) via a crafted application. |
|
1189 |
CVE-2015-8628 |
200 |
|
+Info |
2017-03-23 |
2017-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The (1) Special:MyPage, (2) Special:MyTalk, (3) Special:MyContributions, (4) Special:MyUploads, and (5) Special:AllMyUploads pages in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 allow remote attackers to obtain sensitive user login information via crafted links combined with page view statistics. |
|
1190 |
CVE-2015-8627 |
284 |
|
Bypass |
2017-03-23 |
2017-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly normalize IP addresses containing zero-padded octets, which might allow remote attackers to bypass intended access restrictions by using an IP address that was not supposed to have been allowed. |
|
1191 |
CVE-2015-8626 |
255 |
|
|
2017-03-23 |
2017-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The User::randomPassword function in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 generates passwords smaller than $wgMinimalPasswordLength, which makes it easier for remote attackers to obtain access via a brute-force attack. |
|
1192 |
CVE-2015-8625 |
200 |
|
+Info |
2017-03-23 |
2017-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read arbitrary files via an @ (at sign) character in unspecified POST array parameters. |
|
1193 |
CVE-2015-8624 |
352 |
|
Bypass CSRF |
2017-03-23 |
2017-03-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 does not perform token comparison in constant time before determining if a debugging message should be logged, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8623. |
|
1194 |
CVE-2015-8623 |
352 |
|
Bypass CSRF |
2017-03-23 |
2017-03-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The User::matchEditToken function in includes/User.php in MediaWiki before 1.23.12 and 1.24.x before 1.24.5 does not perform token comparison in constant time before returning, which allows remote attackers to guess the edit token and bypass CSRF protection via a timing attack, a different vulnerability than CVE-2015-8624. |
|
1195 |
CVE-2015-8622 |
79 |
|
XSS |
2017-03-23 |
2017-03-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1, when is configured with a relative URL, allows remote authenticated users to inject arbitrary web script or HTML via wikitext, as demonstrated by a wikilink to a page named "javascript:alert('XSS!')." |
|
1196 |
CVE-2015-8556 |
362 |
|
|
2017-03-24 |
2017-03-27 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1. |
|
1197 |
CVE-2015-8310 |
79 |
|
XSS |
2017-03-27 |
2017-03-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist. |
|
1198 |
CVE-2015-8309 |
22 |
|
Dir. Trav. |
2017-03-27 |
2017-03-30 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download." |
|
1199 |
CVE-2015-8234 |
310 |
|
Bypass |
2017-03-29 |
2017-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision. |
|
1200 |
CVE-2015-8026 |
119 |
|
DoS Exec Code Overflow |
2017-03-27 |
2021-06-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the verify_vbr_checksum function in exfatfsck in exfat-utils before 1.2.1 allows remote attackers to cause a denial of service (infinite loop) or possibly execute arbitrary code via a crafted filesystem. |
