CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2010-5327 264 Exec Code 2017-01-13 2017-01-17
6.5
None Remote Low Single system Partial Partial Partial
Liferay Portal through 6.2.10 allows remote authenticated users to execute arbitrary shell commands via a crafted Velocity template.
2 CVE-2013-7451 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the XSS filter via a nested tag.
3 CVE-2013-7452 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via a crafted javascript URI.
4 CVE-2013-7453 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via vectors related to UI redressing.
5 CVE-2013-7454 79 XSS Bypass 2017-01-23 2017-01-24
4.3
None Remote Medium Not required None Partial None
The validator module before 1.1.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via nested forbidden strings.
6 CVE-2014-2045 79 XSS 2017-01-20 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in the old interface, (3) username when creating an account in the new interface, (4) hostname in the old interface, (5) inspect parameter in the config module, (6) commands parameter in the atcommands tool, or (7) host parameter in the ping tool.
7 CVE-2014-8362 284 2017-01-23 2017-01-25
10.0
None Remote Low Not required Complete Complete Complete
Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable and disable the alarm system and modify other security settings via the Web-enabled interface.
8 CVE-2014-9754 20 2017-01-20 2018-10-09
4.3
None Remote Medium Not required None Partial None
The hardware VPN client in Viprinet MultichannelVPN Router 300 version 2013070830/2013080900 does not validate the remote VPN endpoint identity (through the checking of the endpoint's SSL key) before initiating the exchange, which allows an attacker to perform a Man in the Middle attack.
9 CVE-2014-9755 20 2017-01-20 2018-10-09
5.0
None Remote Low Not required None None Partial
The hardware VPN client in Viprinet MultichannelVPN Router 300 version 2013070830/2013080900 does not validate the remote VPN endpoint identity (through the checking of the endpoint's SSL key) before initiating the exchange, which allows remote attackers to perform a replay attack.
10 CVE-2014-9772 79 XSS Bypass 2017-01-23 2017-03-28
4.3
None Remote Medium Not required None Partial None
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
11 CVE-2014-9909 264 Exec Code 2017-01-18 2017-01-19
9.3
None Remote Medium Not required Complete Complete Complete
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-31676542. References: B-RB#26684.
12 CVE-2014-9910 264 Exec Code 2017-01-18 2017-01-19
7.6
None Remote High Not required Complete Complete Complete
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: N/A. Android ID: A-31746399. References: B-RB#26710.
13 CVE-2014-9911 119 DoS Overflow 2017-01-04 2019-04-23
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call.
14 CVE-2014-9912 119 DoS Overflow 2017-01-04 2017-01-06
7.5
None Remote Low Not required Partial Partial Partial
The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.
15 CVE-2014-9913 119 DoS Overflow 2017-01-18 2017-01-20
2.1
None Local Low Not required None None Partial
Buffer overflow in the list_files function in list.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via vectors related to the compression method.
16 CVE-2015-2180 74 Exec Code 2017-01-30 2018-10-30
9.0
None Remote Low Single system Complete Complete Complete
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
17 CVE-2015-2181 119 Overflow 2017-01-30 2018-05-02
6.5
None Remote Low Single system Partial Partial Partial
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.
18 CVE-2015-2867 798 2017-01-06 2017-01-10
10.0
None Remote Low Not required Complete Complete Complete
A design flaw in the Trane ComfortLink II SCC firmware version 2.0.2 service allows remote attackers to take complete control of the system.
19 CVE-2015-2868 119 Exec Code Overflow 2017-01-06 2017-01-10
10.0
None Remote Low Not required Complete Complete Complete
An exploitable remote code execution vulnerability exists in the Trane ComfortLink II firmware version 2.0.2 in DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long REG request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.
20 CVE-2015-3188 264 Exec Code 2017-01-13 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
The UI daemon in Apache Storm 0.10.0 before 0.10.0-beta1 allows remote attackers to execute arbitrary code via unspecified vectors.
21 CVE-2015-3441 77 Exec Code 2017-01-05 2017-01-17
9.0
None Remote Low Single system Complete Complete Complete
The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the (1) start_hour, (2) start_minute, (3) end_hour, (4) end_minute, or (5) hostname parameter.
22 CVE-2015-4591 79 XSS 2017-01-10 2018-10-09
4.3
None Remote Medium Not required None Partial None
eClinicalWorks Population Health (CCMR) suffers from a cross site scripting vulnerability in login.jsp which allows remote unauthenticated users to inject arbitrary javascript via the strMessage parameter.
23 CVE-2015-4592 89 Sql 2017-01-10 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
eClinicalWorks Population Health (CCMR) suffers from an SQL injection vulnerability in portalUserService.jsp which allows remote authenticated users to inject arbitrary malicious database commands as part of user input.
24 CVE-2015-4593 352 CSRF 2017-01-10 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
eClinicalWorks Population Health (CCMR) suffers from a cross-site request forgery (CSRF) vulnerability in portalUserService.jsp which allows remote attackers to hijack the authentication of content administrators for requests that could lead to the creation, modification and deletion of users, appointments and employees.
25 CVE-2015-4594 284 2017-01-10 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID.
26 CVE-2015-4626 189 2017-01-23 2017-01-26
5.0
None Remote Low Not required None Partial None
B.A.S C2Box before 4.0.0 (r19171) relies on client-side validation, which allows remote attackers to "corrupt the business logic" via a negative value in an overdraft.
27 CVE-2015-6501 601 2017-01-12 2018-05-24
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Console in Puppet Enterprise before 2015.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the string parameter.
28 CVE-2015-7331 254 Exec Code 2017-01-30 2017-02-24
4.9
None Remote Medium Single system Partial Partial None
The mcollective-puppet-agent plugin before 1.11.1 for Puppet allows remote attackers to execute arbitrary code via vectors involving the --server argument.
29 CVE-2015-7743 611 2017-01-23 2017-01-25
4.0
None Remote Low Single system Partial None None
XML external entity vulnerability in PRTG Network Monitor before 16.2.23.3077/3078 allows remote authenticated users to read arbitrary files by creating a new HTTP XML/REST Value sensor that accesses a crafted XML file.
30 CVE-2015-7848 190 Overflow 2017-01-06 2017-11-09
5.0
None Remote Low Not required None None Partial
An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash.
31 CVE-2015-7973 254 2017-01-30 2017-11-20
5.8
None Remote Medium Not required None Partial Partial
NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.
32 CVE-2015-7975 119 DoS Overflow 2017-01-30 2017-11-20
2.1
None Local Low Not required None None Partial
The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 does not properly validate the length of its input, which allows an attacker to cause a denial of service (application crash).
33 CVE-2015-7976 254 2017-01-30 2018-10-30
4.0
None Remote Low Single system None Partial None
The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename.
34 CVE-2015-7977 476 DoS 2017-01-30 2018-05-17
4.3
None Remote Medium Not required None None Partial
ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.
35 CVE-2015-7978 400 DoS 2017-01-30 2018-05-17
5.0
None Remote Low Not required None None Partial
NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.
36 CVE-2015-7979 19 DoS 2017-01-30 2018-05-17
5.0
None Remote Low Not required None None Partial
NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client.
37 CVE-2015-8020 200 +Info 2017-01-11 2017-11-15
4.3
None Remote Medium Not required Partial None None
Clustered Data ONTAP versions 8.0, 8.3.1, and 8.3.2 contain a default privileged account which under certain conditions can be used for unauthorized information disclosure.
38 CVE-2015-8034 200 +Info 2017-01-30 2017-03-01
2.1
None Local Low Not required Partial None None
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
39 CVE-2015-8138 20 Bypass 2017-01-30 2017-11-20
5.0
None Remote Low Not required None Partial None
NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero.
40 CVE-2015-8139 284 2017-01-30 2017-11-20
5.0
None Remote Low Not required None Partial None
ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.
41 CVE-2015-8140 284 2017-01-30 2017-11-20
5.8
None Remote Medium Not required None Partial Partial
The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.
42 CVE-2015-8158 DoS 2017-01-30 2018-01-04
4.3
None Remote Medium Not required None None Partial
The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values.
43 CVE-2015-8212 20 Exec Code 2017-01-19 2017-01-20
7.5
None Remote Low Not required Partial Partial Partial
CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware program.
44 CVE-2015-8315 399 DoS 2017-01-23 2017-03-01
7.8
None Remote Low Not required None None Complete
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
45 CVE-2015-8667 79 XSS 2017-01-18 2017-01-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.
46 CVE-2015-8684 79 XSS 2017-01-18 2017-01-19
4.3
None Remote Medium Not required None Partial None
Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the elFinder functionality.
47 CVE-2015-8854 399 DoS 2017-01-23 2017-01-24
7.8
None Remote Low Not required None None Complete
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
48 CVE-2015-8855 399 DoS 2017-01-23 2017-01-26
7.8
None Remote Low Not required None None Complete
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
49 CVE-2015-8856 79 XSS 2017-01-23 2017-03-01
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the serve-index package before 1.6.3 for Node.js allows remote attackers to inject arbitrary web script or HTML via a crafted file or directory name.
50 CVE-2015-8857 254 Bypass 2017-01-23 2017-03-01
7.5
None Remote Low Not required Partial Partial Partial
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Total number of vulnerabilities : 1085   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.