| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-14494 |
200 |
|
+Info |
2017-10-02 |
2018-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
dnsmasq before 2.78, when configured as a relay, allows remote attackers to obtain sensitive memory information via vectors involving handling DHCPv6 forwarded requests. |
|
2 |
CVE-2017-8932 |
310 |
|
|
2017-07-06 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries. |
|
3 |
CVE-2017-7430 |
79 |
|
XSS |
2017-05-03 |
2017-05-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have a persistent XSS vulnerability in Framework. |
|
4 |
CVE-2017-5186 |
310 |
|
|
2017-04-27 |
2017-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Novell iManager 2.7 before SP7 Patch 9, NetIQ iManager 3.x before 3.0.2.1, Novell eDirectory 8.8.x before 8.8 SP8 Patch 9 Hotfix 2, and NetIQ eDirectory 9.x before 9.0.2 Hotfix 2 (9.0.2.2) use the deprecated MD5 hashing algorithm in a communications certificate. |
|
5 |
CVE-2016-9169 |
79 |
|
XSS |
2017-03-23 |
2017-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A reflected XSS vulnerability exists in the web console of the Document Viewer Agent in Novell GroupWise before 2014 R2 Support Pack 1 Hot Patch 2 that may enable a remote attacker to execute JavaScript in the context of a valid user's browser session by getting the user to click on a specially crafted link. This could lead to session compromise or other browser-based attacks. |
|
6 |
CVE-2016-9168 |
20 |
|
|
2017-03-23 |
2017-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A missing X-Frame-Options header in the NDS Utility Monitor in NDSD in Novell eDirectory before 9.0.2 could be used by remote attackers for clickjacking. |
|
7 |
CVE-2016-7796 |
20 |
|
DoS |
2016-10-13 |
2017-07-27 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled. |
|
8 |
CVE-2016-6306 |
125 |
|
DoS |
2016-09-26 |
2018-07-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. |
|
9 |
CVE-2016-5761 |
79 |
|
XSS |
2017-04-20 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allows remote attackers to inject arbitrary web script or HTML via a crafted email. |
|
10 |
CVE-2016-5760 |
79 |
|
XSS |
2017-04-20 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the administrator console in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allow remote attackers to inject arbitrary web script or HTML via the (1) token parameter to gwadmin-console/install/login.jsp or (2) PATH_INFO to gwadmin-console/index.jsp. |
|
11 |
CVE-2016-4470 |
|
|
DoS |
2016-06-27 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The key_reject_and_link function in security/keys/key.c in the Linux kernel through 4.6.3 does not ensure that a certain data structure is initialized, which allows local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command. |
|
12 |
CVE-2016-3951 |
|
|
DoS |
2016-05-02 |
2017-08-12 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor. |
|
13 |
CVE-2016-3689 |
|
|
DoS |
2016-05-02 |
2017-09-02 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface. |
|
14 |
CVE-2016-3672 |
254 |
|
Bypass |
2016-04-27 |
2018-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits. |
|
15 |
CVE-2016-3140 |
|
|
DoS |
2016-05-02 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. |
|
16 |
CVE-2016-3139 |
|
|
DoS |
2016-04-27 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. |
|
17 |
CVE-2016-3138 |
|
|
DoS |
2016-05-02 |
2016-11-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor. |
|
18 |
CVE-2016-3137 |
|
|
DoS |
2016-05-02 |
2016-11-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions. |
|
19 |
CVE-2016-3136 |
|
|
DoS |
2016-05-02 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors. |
|
20 |
CVE-2016-2847 |
399 |
|
DoS |
2016-04-27 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes. |
|
21 |
CVE-2016-2782 |
|
|
DoS |
2016-04-27 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint. |
|
22 |
CVE-2016-2384 |
|
|
DoS |
2016-04-27 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor. |
|
23 |
CVE-2016-2188 |
|
|
DoS |
2016-05-02 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. |
|
24 |
CVE-2016-2187 |
|
|
DoS |
2016-05-02 |
2016-11-28 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. |
|
25 |
CVE-2016-2186 |
|
|
DoS |
2016-05-02 |
2016-11-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. |
|
26 |
CVE-2016-2185 |
|
|
DoS |
2016-05-02 |
2016-11-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. |
|
27 |
CVE-2016-2184 |
|
|
DoS |
2016-04-27 |
2017-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor. |
|
28 |
CVE-2016-1957 |
119 |
|
DoS Overflow |
2016-03-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array. |
|
29 |
CVE-2016-1955 |
200 |
|
Bypass +Info |
2016-03-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element. |
|
30 |
CVE-2016-1658 |
284 |
|
Bypass +Info |
2016-04-18 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension. |
|
31 |
CVE-2016-1657 |
254 |
|
|
2016-04-18 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 50.0.2661.75 mishandles focus for certain about:blank pages, which allows remote attackers to spoof the address bar via a crafted URL. |
|
32 |
CVE-2016-1603 |
200 |
|
+Info |
2017-03-23 |
2017-03-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An information leak in the NetIQ IDM ServiceNow Driver before 1.0.0.1 could expose cryptographic attributes to logged-in users. |
|
33 |
CVE-2016-1595 |
200 |
|
+Info |
2016-04-22 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter. |
|
34 |
CVE-2016-1594 |
200 |
|
+Info |
2016-04-22 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action. |
|
35 |
CVE-2016-1285 |
20 |
|
DoS |
2016-03-09 |
2017-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. |
|
36 |
CVE-2015-8924 |
125 |
|
DoS |
2016-09-20 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file. |
|
37 |
CVE-2015-8923 |
20 |
|
DoS |
2016-09-20 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file. |
|
38 |
CVE-2015-8922 |
476 |
|
DoS |
2016-09-20 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The read_CodersInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted 7z file, related to the _7z_folder struct. |
|
39 |
CVE-2015-8920 |
125 |
|
DoS |
2016-09-20 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file. |
|
40 |
CVE-2015-8845 |
284 |
|
DoS |
2016-04-27 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM suspend mode exists before proceeding with a tm_reclaim call, which allows local users to cause a denial of service (TM Bad Thing exception and panic) via a crafted application. |
|
41 |
CVE-2015-8785 |
399 |
|
DoS |
2016-02-07 |
2016-12-05 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel before 4.4 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov. |
|
42 |
CVE-2015-8551 |
|
|
DoS |
2016-04-13 |
2017-11-03 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to hit BUG conditions and cause a denial of service (NULL pointer dereference and host OS crash) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and a crafted sequence of XEN_PCI_OP_* operations, aka "Linux pciback missing sanity checks." |
|
43 |
CVE-2015-7976 |
254 |
|
|
2017-01-30 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename. |
|
44 |
CVE-2015-7833 |
17 |
|
DoS |
2015-10-19 |
2017-09-12 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor. |
|
45 |
CVE-2015-7566 |
|
|
DoS |
2016-02-07 |
2018-10-09 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint. |
|
46 |
CVE-2015-5968 |
79 |
|
XSS |
2016-03-18 |
2016-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Novell Filr 1.2 before Hot Patch 4 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
47 |
CVE-2015-4870 |
|
|
|
2015-10-21 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser. |
|
48 |
CVE-2015-4858 |
|
|
|
2015-10-21 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2015-4913. |
|
49 |
CVE-2015-4830 |
|
|
|
2015-10-21 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. |
|
50 |
CVE-2015-4826 |
|
|
|
2015-10-21 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Types. |
