CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2017-6401 269 Exec Code 2017-03-02 2019-10-03
4.6
None Local Low Not required Partial Partial Partial
An issue was discovered in Veritas NetBackup before 8.0 and NetBackup Appliance before 3.0. Local arbitrary command execution can occur when using bpcd and bpnbat.
302 CVE-2017-6400 Exec Code 2017-03-02 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBackup Appliance Before 2.7.2. Privileged command execution on NetBackup Server and Client can occur (on the local system).
303 CVE-2017-6399 Exec Code 2017-03-02 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBackup Appliance Before 2.7.2. Privileged remote command execution on NetBackup Server and Client (on the server or a connected client) can occur.
304 CVE-2017-6398 78 Exec Code 2017-03-14 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. An authenticated user can execute a terminal command in the context of the web server user (which is root). Besides, the default installation of IMSVA comes with default administrator credentials. The saveCert.imss endpoint takes several user inputs and performs blacklisting. After that, it uses them as arguments to a predefined operating-system command without proper sanitization. However, because of an improper blacklisting rule, it's possible to inject arbitrary commands into it.
305 CVE-2017-6397 79 Exec Code XSS 2017-03-02 2020-07-10
4.3
None Remote Medium Not required None Partial None
An issue was discovered in FlightAirMap v1.0-beta.10. The vulnerability exists due to insufficient filtration of user-supplied data in multiple parameters passed to several *-sub-menu.php pages. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
306 CVE-2017-6396 79 Exec Code XSS 2017-03-02 2017-03-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "webpagetest-master/www/compare-cf.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
307 CVE-2017-6395 79 Exec Code XSS 2017-03-02 2017-03-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in HashOver 2.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the 'hashover/scripts/widget-output.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
308 CVE-2017-6394 79 Exec Code XSS 2017-03-02 2020-07-10
4.3
None Remote Medium Not required None Partial None
Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR 5.0.0 and 5.0.1-dev. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to the "openemr-master/gacl/admin/object_search.php" URL (section_value; src_form). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
309 CVE-2017-6393 79 Exec Code XSS 2017-03-02 2017-03-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in NagVis 1.9b12. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "nagvis-master/share/userfiles/gadgets/std_table.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
310 CVE-2017-6392 79 Exec Code XSS 2017-03-02 2017-03-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "server-Lynx-12.11.0/admin_console/web/tools/XmlJWPlayer.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
311 CVE-2017-6391 79 Exec Code XSS 2017-03-02 2017-03-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "admin_console/web/tools/SimpleJWPlayer.php" URL, the "admin_console/web/tools/AkamaiBroadcaster.php" URL, the "admin_console/web/tools/bigRedButton.php" URL, and the "admin_console/web/tools/bigRedButtonPtsPoc.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
312 CVE-2017-6390 79 Exec Code XSS 2017-03-02 2017-03-07
4.3
None Remote Medium Not required None Partial None
An issue was discovered in whatanime.ga before c334dd8499a681587dd4199e90b0aa0eba814c1d. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "whatanime.ga-master/index.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
313 CVE-2017-6387 125 DoS 2017-03-02 2017-03-04
4.3
None Remote Medium Not required None None Partial
The dex_loadcode function in libr/bin/p/bin_dex.c in radare2 1.2.1 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted DEX file.
314 CVE-2017-6386 772 DoS 2017-03-15 2020-10-21
4.9
None Local Low Not required None None Complete
Memory leak in the vrend_create_vertex_elements_state function in vrend_renderer.c in virglrenderer allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRGL_OBJECT_VERTEX_ELEMENTS commands.
315 CVE-2017-6384 772 DoS 2017-03-02 2019-10-03
7.8
None Remote Low Not required None None Complete
Memory leak in the login_user function in saslserv/main.c in saslserv/main.so in Atheme 7.2.7 allows a remote unauthenticated attacker to consume memory and cause a denial of service. This is fixed in 7.2.8.
316 CVE-2017-6381 829 Exec Code 2017-03-16 2019-10-03
6.8
None Remote Medium Not required Partial Partial Partial
A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit directory from your production deployments
317 CVE-2017-6379 352 CSRF 2017-03-16 2017-07-12
5.1
None Remote High Not required Partial Partial Partial
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
318 CVE-2017-6377 863 Bypass 2017-03-16 2019-10-03
5.0
None Remote Low Not required None Partial None
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
319 CVE-2017-6370 319 +Info 2017-03-17 2019-10-03
5.0
None Remote Low Not required Partial None None
TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI in cases with an https Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.
320 CVE-2017-6369 862 Exec Code 2017-03-24 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so.
321 CVE-2017-6367 20 2017-03-14 2017-03-17
5.0
None Remote Low Not required None None Partial
In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Windows service to crash. The attack methodology involves a long Host header and an invalid Content-Length header.
322 CVE-2017-6366 352 Exec Code CSRF 2017-03-15 2017-03-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.
323 CVE-2017-6361 78 Exec Code 2017-03-23 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.
324 CVE-2017-6360 78 +Priv +Info 2017-03-23 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and obtain sensitive information via unspecified vectors.
325 CVE-2017-6359 78 Exec Code +Priv 2017-03-23 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administrator privileges and execute arbitrary commands via unspecified vectors.
326 CVE-2017-6356 732 +Info 2017-03-20 2021-09-13
5.0
None Remote Low Not required Partial None None
Palo Alto Networks Terminal Services (aka TS) Agent 6.0, 7.0, and 8.0 before 8.0.1 uses weak permissions for unspecified resources, which allows attackers to obtain sensitive session information via unknown vectors.
327 CVE-2017-6355 190 DoS Overflow 2017-03-10 2017-07-11
2.1
None Local Low Not required None None Partial
Integer overflow in the vrend_create_shader function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (process crash) via crafted pkt_length and offlen values, which trigger an out-of-bounds access.
328 CVE-2017-6353 415 DoS 2017-03-01 2017-11-04
4.9
None Local Low Not required None None Complete
net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986.
329 CVE-2017-6351 798 2017-03-06 2017-09-01
9.3
None Remote Medium Not required Complete Complete Complete
The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885.
330 CVE-2017-6348 DoS 2017-03-01 2019-10-03
4.9
None Local Low Not required None None Complete
The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices.
331 CVE-2017-6347 125 DoS 2017-03-01 2017-03-03
7.2
None Local Low Not required Complete Complete Complete
The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Linux kernel before 4.10.1 has incorrect expectations about skb data layout, which allows local users to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted system calls, as demonstrated by use of the MSG_MORE flag in conjunction with loopback UDP transmission.
332 CVE-2017-6346 362 DoS 2017-03-01 2017-11-04
6.9
None Local Medium Not required Complete Complete Complete
Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.
333 CVE-2017-6345 20 DoS 2017-03-01 2018-08-24
4.6
None Local Low Not required Partial Partial Partial
The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls.
334 CVE-2017-6335 125 DoS 2017-03-14 2018-08-04
4.3
None Remote Medium Not required None None Partial
The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a small samples per pixel value in a CMYKA TIFF file.
335 CVE-2017-6334 78 Exec Code 2017-03-06 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.
336 CVE-2017-6319 119 DoS Overflow 2017-03-02 2017-03-04
6.8
None Remote Medium Not required Partial Partial Partial
The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1.2.1 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file.
337 CVE-2017-6318 200 +Info 2017-03-20 2020-09-01
5.0
None Remote Low Not required Partial None None
saned in sane-backends 1.0.25 allows remote attackers to obtain sensitive memory information via a crafted SANE_NET_CONTROL_OPTION packet.
338 CVE-2017-6317 772 DoS 2017-03-15 2019-10-03
4.9
None Local Low Not required None None Complete
Memory leak in the add_shader_program function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (host memory consumption) via vectors involving the sprog variable.
339 CVE-2017-6314 835 DoS 2017-03-10 2020-08-04
4.3
None Remote Medium Not required None None Partial
The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file.
340 CVE-2017-6313 191 DoS 2017-03-10 2020-08-04
5.8
None Remote Medium Not required Partial None Partial
Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file.
341 CVE-2017-6312 190 DoS Overflow 2017-03-10 2020-08-04
4.3
None Remote Medium Not required None None Partial
Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations.
342 CVE-2017-6311 476 DoS 2017-03-10 2020-08-04
5.0
None Remote Low Not required None None Partial
gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message.
343 CVE-2017-6210 476 DoS 2017-03-15 2017-07-11
2.1
None Local Low Not required None None Partial
The vrend_decode_reset function in vrend_decode.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (NULL pointer dereference and QEMU process crash) by destroying context 0 (zero).
344 CVE-2017-6209 119 DoS Overflow 2017-03-15 2017-07-11
2.1
None Local Low Not required None None Partial
Stack-based buffer overflow in the parse_identifier function in tgsi_text.c in the TGSI auxiliary module in the Gallium driver in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to parsing properties.
345 CVE-2017-6191 119 Exec Code Overflow 2017-03-23 2017-03-28
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in APNGDis 2.8 and below allows a remote attacker to execute arbitrary code via a crafted filename.
346 CVE-2017-6189 426 Exec Code 2017-03-15 2017-03-24
4.4
None Local Medium Not required Partial Partial Partial
Untrusted search path vulnerability in Amazon Kindle for PC before 1.19 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL in the current working directory of the Kindle Setup installer.
347 CVE-2017-6186 94 Exec Code Bypass 2017-03-21 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
348 CVE-2017-6184 77 2017-03-30 2017-04-04
6.5
None Remote Low ??? Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303.
349 CVE-2017-6183 77 2017-03-30 2017-04-04
6.5
None Remote Low ??? Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314.
350 CVE-2017-6182 78 2017-03-30 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
Total number of vulnerabilities : 1305   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.