CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6101 CVE-2017-5418 125 +Info 2018-06-11 2018-08-07
5.0
None Remote Low Not required Partial None None
An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random memory containing matches to specifically set patterns. This vulnerability affects Firefox < 52 and Thunderbird < 52.
6102 CVE-2017-5417 20 2018-06-11 2018-08-02
5.0
None Remote Low Not required None Partial None
When dragging content from the primary browser pane to the addressbar on a malicious site, it is possible to change the addressbar so that the displayed location following navigation does not match the URL of the newly loaded page. This allows for spoofing attacks. This vulnerability affects Firefox < 52.
6103 CVE-2017-5416 476 2018-06-11 2018-08-07
5.0
None Remote Low Not required None None Partial
In certain circumstances a networking event listener can be prematurely released. This appears to result in a null dereference in practice. This vulnerability affects Firefox < 52 and Thunderbird < 52.
6104 CVE-2017-5415 20 2018-06-11 2018-08-07
5.0
None Remote Low Not required None Partial None
An attack can use a blob URL and script to spoof an arbitrary addressbar URL prefaced by "blob:" as the protocol, leading to user confusion and further spoofing attacks. This vulnerability affects Firefox < 52.
6105 CVE-2017-5412 119 Overflow 2018-06-11 2018-08-07
5.0
None Remote Low Not required Partial None None
A buffer overflow read during SVG filter color value operations, resulting in data exposure. This vulnerability affects Firefox < 52 and Thunderbird < 52.
6106 CVE-2017-5411 416 2018-06-11 2018-08-02
5.0
None Remote Low Not required None None Partial
A use-after-free can occur during buffer storage operations within the ANGLE graphics library, used for WebGL content. The buffer storage can be freed while still in use in some circumstances, leading to a potentially exploitable crash. Note: This issue is in "libGLES", which is only in use on Windows. Other operating systems are not affected. This vulnerability affects Firefox < 52 and Thunderbird < 52.
6107 CVE-2017-5408 200 +Info 2018-06-11 2018-08-07
5.0
None Remote Low Not required Partial None None
Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
6108 CVE-2017-5406 119 Overflow 2018-06-11 2018-08-07
5.0
None Remote Low Not required None None Partial
A segmentation fault can occur in the Skia graphics library during some canvas operations due to issues with mask/clip intersection and empty masks. This vulnerability affects Firefox < 52 and Thunderbird < 52.
6109 CVE-2017-5405 254 2018-06-11 2018-08-07
5.0
None Remote Low Not required Partial None None
Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
6110 CVE-2017-5389 601 2018-06-11 2018-08-07
5.8
None Remote Medium Not required Partial Partial None
WebExtensions could use the "mozAddonManager" API by modifying the CSP headers on sites with the appropriate permissions and then using host requests to redirect script loads to a malicious site. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 51.
6111 CVE-2017-5388 399 DoS 2018-06-11 2018-08-07
5.0
None Remote Low Not required None None Partial
A STUN server in conjunction with a large number of "webkitRTCPeerConnection" objects can be used to send large STUN packets in a short period of time due to a lack of rate limiting being applied on e10s systems, allowing for a denial of service attack. This vulnerability affects Firefox < 51.
6112 CVE-2017-5385 200 +Info 2018-06-11 2018-08-07
5.0
None Remote Low Not required Partial None None
Data sent with in multipart channels, such as the multipart/x-mixed-replace MIME type, will ignore the referrer-policy response header, leading to potential information disclosure for sites using this header. This vulnerability affects Firefox < 51.
6113 CVE-2017-5383 20 2018-06-11 2018-08-02
5.0
None Remote Low Not required None Partial None
URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
6114 CVE-2017-5382 200 +Info 2018-06-11 2018-08-07
5.0
None Remote Low Not required Partial None None
Feed preview for RSS feeds can be used to capture errors and exceptions generated by privileged content, allowing for the exposure of internal information not meant to be seen by web content. This vulnerability affects Firefox < 51.
6115 CVE-2017-5381 254 2018-06-11 2018-08-07
5.0
None Remote Low Not required None Partial None
The "export" function in the Certificate Viewer can force local filesystem navigation when the "common name" in a certificate contains slashes, allowing certificate content to be saved in unsafe locations with an arbitrary filename. This vulnerability affects Firefox < 51.
6116 CVE-2017-5379 416 2018-06-11 2018-08-07
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in Web Animations when interacting with cycle collection found through fuzzing. This vulnerability affects Firefox < 51.
6117 CVE-2017-5378 200 +Info 2018-06-11 2018-08-02
5.0
None Remote Low Not required Partial None None
Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51.
6118 CVE-2017-5372 200 +Info 2017-01-23 2018-12-10
5.0
None Remote Low Not required Partial None None
The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system information by leveraging a missing authorization check for the (1) getInformation, (2) getParameters, (3) getServiceInfo, (4) getStatistic, or (5) getClientStatistic function, aka SAP Security Note 2331908.
6119 CVE-2017-5371 20 DoS 2017-01-23 2018-12-10
5.0
None Remote Low Not required None None Partial
Odata Server in SAP Adaptive Server Enterprise (ASE) 16 allows remote attackers to cause a denial of service (process crash) via a series of crafted requests, aka SAP Security Note 2330422.
6120 CVE-2017-5359 20 DoS 2017-03-15 2018-10-09
5.0
None Remote Low Not required None None Partial
EasyCom SQL iPlug allows remote attackers to cause a denial of service via the D$EVAL parameter to the default URI.
6121 CVE-2017-5357 416 DoS 2017-02-16 2017-02-17
5.0
None Remote Low Not required None None Partial
regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of service (crash) via a malformed command, which triggers an invalid free.
6122 CVE-2017-5356 125 DoS 2017-03-03 2018-02-03
5.0
None Remote Low Not required None None Partial
Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).
6123 CVE-2017-5350 388 2017-01-12 2017-01-27
5.0
None Remote Low Not required None None Partial
Samsung Note devices with L(5.0/5.1), M(6.0), and N(7.0) software allow attackers to crash systemUI by leveraging incomplete exception handling. The Samsung ID is SVE-2016-7122.
6124 CVE-2017-5335 125 DoS 2017-03-24 2018-10-30
5.0
None Remote Low Not required None None Partial
The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate.
6125 CVE-2017-5328 284 2017-01-27 2017-02-07
5.0
None Remote Low Not required None Partial None
Palo Alto Networks Terminal Services Agent before 7.0.7 allows attackers to spoof arbitrary users via unspecified vectors.
6126 CVE-2017-5263 352 CSRF 2017-12-20 2018-01-05
5.4
None Local Network Medium Not required Partial Partial Partial
Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any web application function, especially destructive ones.
6127 CVE-2017-5250 310 2018-02-22 2018-03-21
5.0
None Remote Low Not required Partial None None
In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
6128 CVE-2017-5249 310 2018-02-22 2018-03-21
5.0
None Remote Low Not required Partial None None
In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
6129 CVE-2017-5240 119 DoS Overflow 2017-05-03 2017-05-15
5.0
None Remote Low Not required None None Partial
Editions of Rapid7 AppSpider Pro prior to version 6.14.060 contain a heap-based buffer overflow in the FLAnalyzer.exe component. A malicious or malformed Flash source file can cause a denial of service condition when parsed by this component, causing the application to crash.
6130 CVE-2017-5239 326 2017-03-27 2017-03-30
5.0
None Remote Low Not required Partial None None
Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener.
6131 CVE-2017-5238 119 Overflow 2017-03-27 2017-03-30
5.0
None Remote Low Not required None Partial None
Due to a lack of bounds checking, several input configuration fields for the Eview EV-07S GPS Tracker will overflow data stored in one variable to another, overwriting the data of another field.
6132 CVE-2017-5231 22 Dir. Trav. 2017-03-02 2017-03-20
5.1
None Remote High Not required Partial Partial Partial
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter stdapi CommandDispatcher.cmd_download() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the Metasploit console with the permissions of the running Metasploit instance.
6133 CVE-2017-5229 22 Dir. Trav. 2017-03-02 2017-03-20
5.1
None Remote High Not required Partial Partial Partial
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter extapi Clipboard.parse_dump() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the Metasploit console with the permissions of the running Metasploit instance.
6134 CVE-2017-5228 22 Dir. Trav. 2017-03-02 2017-03-20
5.1
None Remote High Not required Partial Partial Partial
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter stdapi Dir.download() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the Metasploit console with the permissions of the running Metasploit instance.
6135 CVE-2017-5227 200 +Info 2017-03-23 2017-08-15
5.0
None Remote Low Not required Partial None None
QNAP QTS before 4.2.4 Build 20170313 allows local users to obtain sensitive Domain Administrator password information by reading data in an XOR format within the /etc/config/uLinux.conf configuration file.
6136 CVE-2017-5214 254 2017-05-17 2017-05-26
5.0
None Remote Low Not required Partial None None
The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value. This makes it easier to read arbitrary uploaded files.
6137 CVE-2017-5211 20 2019-05-23 2019-05-23
5.0
None Remote Low Not required None Partial None
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Content Spoofing.
6138 CVE-2017-5210 200 +Info 2019-05-23 2019-05-23
5.0
None Remote Low Not required Partial None None
Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Information Exposure.
6139 CVE-2017-5196 125 DoS 2017-03-03 2017-06-30
5.0
None Remote Low Not required None None Partial
Irssi 0.8.18 before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via vectors involving strings that are not UTF8.
6140 CVE-2017-5195 125 DoS 2017-03-03 2017-06-30
5.0
None Remote Low Not required None None Partial
Irssi 0.8.17 before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted ANSI x8 color code.
6141 CVE-2017-5194 416 DoS 2017-03-03 2018-02-03
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in Irssi before 0.8.21 allows remote attackers to cause a denial of service (crash) via an invalid nick message.
6142 CVE-2017-5193 476 DoS 2017-03-03 2018-02-03
5.0
None Remote Low Not required None None Partial
The nickcmp function in Irssi before 0.8.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a message without a nick.
6143 CVE-2017-5189 287 2018-03-02 2018-03-21
5.0
None Remote Low Not required Partial None None
NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application (JAR file) for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance.
6144 CVE-2017-5188 200 +Info 2018-03-01 2018-03-22
5.0
None Remote Low Not required Partial None None
The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
6145 CVE-2017-5185 DoS 2017-03-30 2017-11-02
5.0
None Remote Low Not required None None Partial
A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0.1 that may allow remote denial of service.
6146 CVE-2017-5184 200 +Info 2017-03-30 2017-11-02
5.0
None Remote Low Not required Partial None None
A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0.1 that may allow leakage of information (account enumeration).
6147 CVE-2017-5177 119 Exec Code Overflow 2017-05-18 2017-09-15
5.0
None Remote Low Not required None None Partial
A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 5.0.45.5921 and prior. A stack-based buffer overflow vulnerability has been identified, where an attacker with a specially crafted packet could overflow the fixed length buffer. This could allow remote code execution.
6148 CVE-2017-5169 352 Exec Code CSRF 2017-02-13 2017-02-28
5.1
None Remote High Not required Partial Partial Partial
An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By issuing specific HTTP Post requests, an attacker can gain system level access to a remote shell session. Smart Security Manager Versions 1.5 and prior are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution.
6149 CVE-2017-5168 22 Exec Code Dir. Trav. 2017-02-13 2017-02-28
5.1
None Remote High Not required Partial Partial Partial
An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Path Traversal vulnerabilities have been identified. The flaws exist within the ActiveMQ Broker service that is installed as part of the product. By issuing specific HTTP requests, if a user visits a malicious page, an attacker can gain access to arbitrary files on the server. Smart Security Manager Versions 1.4 and prior to 1.31 are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution.
6150 CVE-2017-5166 200 +Priv +Info 2017-02-13 2017-02-16
5.0
None Remote Low Not required Partial None None
An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. An INFORMATION EXPOSURE flaw can be used to gain privileged access to the device.
Total number of vulnerabilities : 23352   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 (This Page)124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.