CVE-2017-16882 CVSS:0.0
Icinga Core through 1.14.0 initially executes bin/icinga as root but supports configuration options in which this file is owned by a non-root account (and similarly can have etc/icinga.cfg owned by a non-root account), which allows local users to gain privileges by leveraging access to this non-root account, a related issue to CVE-2017-14312. This also affects bin/icingastats, bin/ido2db, and bin/log2ido. (Last Update:2017-11-18) (Publish Update:2017-11-18)
CVE-2017-16834 CVSS:0.0
PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account. (Last Update:2017-11-15) (Publish Update:2017-11-15)
CVE-2017-16757 CVSS:0.0
Hola VPN 1.34 has weak permissions (Everyone:F) under %PROGRAMFILES%, which allows local users to gain privileges via a Trojan horse 7za.exe or hola.exe file. (Last Update:2017-11-14) (Publish Update:2017-11-09)
CVE-2017-16659 CVSS:0.0
The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows local users to gain privileges by leveraging access to the assp user account to install a Trojan horse /usr/share/assp/assp.pl script. (Last Update:2017-11-08) (Publish Update:2017-11-08)
CVE-2017-16638 CVSS:0.0
The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script. (Last Update:2017-11-13) (Publish Update:2017-11-06)
CVE-2017-16636 CVSS:0.0
In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new page, new category, and edit post function body message context. Remote attackers are able to bypass the basic editor validation to trigger cross site scripting. The XSS is persistent and the request method to inject via editor is GET. To save the editor context, the followup POST method request must be processed to perform the attack via the application side. The basic validation of the editor does not allow injecting script codes and blocks the context. Attackers can inject the code by using an editor tag that is not recognized by the basic validation. Thus allows a restricted user account to inject malicious script code to perform a persistent attack against higher privilege web-application user accounts. (Last Update:2017-11-06) (Publish Update:2017-11-06)
CVE-2017-15945 CVSS:7.2
The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, dev-db/percona-server, dev-db/mysql-cluster, and dev-db/mariadb-galera packages before 2017-09-29 have chown calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to the mysql account for creation of a link. (Last Update:2017-11-14) (Publish Update:2017-10-27)
CVE-2017-15649 CVSS:4.6
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. (Last Update:2017-11-08) (Publish Update:2017-10-19)
CVE-2017-15595 CVSS:7.2
An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking. (Last Update:2017-11-18) (Publish Update:2017-10-18)
CVE-2017-15594 CVSS:4.6
An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging. (Last Update:2017-11-14) (Publish Update:2017-10-18)
Click here for a complete list of security vulnerabilities. This vulnerability list widget is provided by www.cvedetails.com