■ 디지털 트랜스포메이션의 이점

 

- 더 빠른 출구 시간

- 더 고품질의 결과

- 수익 증대

- 더 높은 신뢰성

- 비용 절감

 

 

■ 디지털 트랜스포메이션의 필수 요소

 

- 데브옵스(DevOps)

- 서비스 지향성

- 모니터링과 분석

- 확장 가능한 인프라

- 조율된 분산

- ID 관리

 

 

■ 디지털 트랜스포메이션으로 나아가는 6단계

 

① 실현 가능성 강조

② 적절한 프로젝트 선정

③ 적절한 팀 구성

④ 데브옵스 운용

⑤ 클라우드 선택

⑥ 측정, 분석, 보고

 

 

 

** 출처: [IDG Deep Dive] 2017 디지털 트랜스포메이션 가이드

저작자 표시 비영리 변경 금지
신고
Posted by manga0713

 

 

 

 

- 실제 보안 공격의 80%가 집중되는 애플리케이션은 기업 환경의 가장 큰 취약점으로 존재하는 상황

 

- 기업들에겐 애플리케이션의 수명주기 전반에 충분한 수준의 포괄적 보안 툴킷을 구축하는 노력이 요구됨

 

- 기업들은 자사가 처한 보안 리스크의 성격에 적합한 도구 선택을 위한 올바른 질문 능력을 갖춰야 함

 

 

 

■ 체크포인트

 

 

1. 어떤 애플리케이션 유형(웹, 모바일, 설치형, IoT 등)을 개발하는가?

 

2. 애플리케이션이 연결되는 네트워크 유형(인터넷, LAN, 무선 등)은 어떠한가?

 

3. 애플리케이션의 모든 소스 코드에 대한 접근이 가능한가?

 

4. 어떤 프로그래밍 언어를 이용하고 있는가?

 

5. 애플리케이션 내에 얼마나 많은 오픈소스가 이용되고 있는가?

 

6. 애플리케이션 인도 후 발견된 취약점을 어떻게 추적, 시험할 것인가?

 

7. 자사의 애플리케이션 개발 모델은 어떠한가?

 

8. 애플리케이션 보안 툴의 사용자는 누구인가?

 

9. 애플리케이션 보안 예산 수준은 어떠한가?

 

 

 

** 출처: [ITWorld] 애플리케이션 보안 솔루션 선택을 위한 9가지 체크포인트

저작자 표시 비영리 변경 금지
신고
Posted by manga0713

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apple -- quicktime Buffer overflow in QuickTime before 7.7.1 for Windows allows remote attackers to execute arbitrary code. 2017-04-24 7.5 CVE-2011-3428
CONFIRM(link is external)
cygwin -- cygwin Cygwin before 2.5.0 does not properly handle updating permissions when changing users, which allows attackers to gain privileges. 2017-04-21 7.5 CVE-2016-3067
MLIST(link is external)
MLIST(link is external)
MLIST(link is external)
MLIST(link is external)
CONFIRM
d-link -- dap-2360_firmware Buffer overflow in D-Link DAP-2310 2.06 and earlier, DAP-2330 1.06 and earlier, DAP-2360 2.06 and earlier, DAP-2553 H/W ver. B1 3.05 and earlier, DAP-2660 1.11 and earlier, DAP-2690 3.15 and earlier, DAP-2695 1.16 and earlier, DAP-3320 1.00 and earlier, and DAP-3662 1.01 and earlier allows remote attackers to have unspecified impact via a crafted 'dlink_uid' cookie. 2017-04-21 10.0 CVE-2016-1558
MISC(link is external)
FULLDISC
CONFIRM(link is external)
d-link -- dvg-n5402sp_firmware D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 has a default password of root for the root account and tw for the tw account, which makes it easier for remote attackers to obtain administrative access. 2017-04-24 10.0 CVE-2015-7246
MISC(link is external)
FULLDISC
EXPLOIT-DB(link is external)
d-link -- dvg-n5402sp_firmware D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 discloses usernames, passwords, keys, values, and web account hashes (super and admin) in plaintext when running a configuration backup, which allows remote attackers to obtain sensitive information. 2017-04-24 7.8 CVE-2015-7247
MISC(link is external)
FULLDISC
EXPLOIT-DB(link is external)
exagrid -- ex40000e_firmware ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session. 2017-04-21 10.0 CVE-2016-1560
MISC(link is external)
MISC(link is external)
MISC(link is external)
exponentcms -- exponent_cms Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php. 2017-04-21 7.5 CVE-2017-7991
MISC
MISC(link is external)
MISC(link is external)
fedoraproject -- fedora org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code. 2017-04-21 7.5 CVE-2016-2173
FEDORA
FEDORA
FEDORA
CONFIRM(link is external)
CONFIRM(link is external)
freetype -- freetype FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. 2017-04-24 7.5 CVE-2017-8105
MISC
MISC
google -- android Android allows users to cause a denial of service. 2017-04-21 7.8 CVE-2016-0833
BID(link is external)
MISC(link is external)
juniper -- northstar_controller A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause denials of services to underlying database tables leading to potential information disclosure, modification of system states, and partial to full denial of services relying upon data modified by an attacker. 2017-04-24 7.5 CVE-2017-2317
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious attacker to compromise the systems confidentiality or integrity without authentication, leading to managed systems being compromised or services being denied to authentic end users and systems as a result. 2017-04-24 7.5 CVE-2017-2319
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various denials of services leading to targeted information disclosure, modification of any component of the NorthStar system, including managed systems, and full denial of services to any systems under management which NorthStar interacts with using read-only or read-write credentials. 2017-04-24 10.0 CVE-2017-2320
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various system services partial to full denials of services, modification of system states and files, and potential disclosure of sensitive information which may assist the attacker in further attacks on the system through the use of multiple attack vectors, including man-in-the-middle attacks, file injections, and malicious execution of commands causing out of bound memory conditions leading to other attacks. 2017-04-24 7.5 CVE-2017-2321
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A firewall bypass vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to bypass firewall policies, leading to authentication bypass methods, information disclosure, modification of system files, and denials of service. 2017-04-24 7.5 CVE-2017-2331
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller An insufficient authentication vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious, network based, unauthenticated attacker to perform privileged actions to gain complete control over the environment. 2017-04-24 9.3 CVE-2017-2332
BID(link is external)
CONFIRM(link is external)
lenovo -- lenovo_system_update Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by navigating to (1) "Click here to learn more" or (2) "View privacy policy" within the Tvsukernel.exe GUI application in the context of a temporary administrator account, aka a "local privilege escalation vulnerability." 2017-04-24 7.2 CVE-2015-8110
BID(link is external)
MISC(link is external)
CONFIRM(link is external)
linux -- linux_kernel drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x and 4.10.x before 4.10.7 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8061
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10.x before 4.10.4 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8062
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8063
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8064
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8065
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x before 4.10.2 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8066
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x before 4.10.12 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8067
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8068
CONFIRM
MLIST(link is external)
BID(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8069
CONFIRM
MLIST(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interacts incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause a denial of service (system crash or memory corruption) or possibly have unspecified other impact by leveraging use of more than one virtual page for a DMA scatterlist. 2017-04-23 7.2 CVE-2017-8070
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors. 2017-04-23 7.2 CVE-2017-8072
CONFIRM
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
lshell_project -- lshell lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. 2017-04-24 9.0 CVE-2016-6902
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
lshell_project -- lshell lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. 2017-04-24 9.0 CVE-2016-6903
MLIST(link is external)
BID(link is external)
CONFIRM
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
netgear -- wndap210v2_firmware (1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands. 2017-04-21 10.0 CVE-2016-1555
MISC(link is external)
FULLDISC
CONFIRM(link is external)
securebrain -- phishwall_client Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer before 3.7.8.2. 2017-04-21 9.3 CVE-2016-4846
JVN(link is external)
JVNDB(link is external)
CONFIRM(link is external)
BID(link is external)
shopware -- shopware The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code. 2017-04-21 10.0 CVE-2016-3109
MISC(link is external)
BUGTRAQ(link is external)
BID(link is external)
CONFIRM(link is external)
tenable -- appliance Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands. 2017-04-21 10.0 CVE-2017-8051
CONFIRM(link is external)
MISC(link is external)
EXPLOIT-DB(link is external)
tp-link -- tl-sg108e_firmware On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build 20141017 Rel.50749 firmware. 2017-04-23 7.8 CVE-2017-8076
MISC(link is external)
yeager -- yeager_cms SQL injection vulnerability in the password recovery feature in Yeager CMS 1.2.1 allows remote attackers to change the account credentials of known users via the "userEmail" parameter. 2017-04-24 7.5 CVE-2015-7568
MISC(link is external)
FULLDISC
BUGTRAQ(link is external)
EXPLOIT-DB(link is external)
yeager -- yeager_cms SQL injection vulnerability in "yeager/y.php/tab_USERLIST" in Yeager CMS 1.2.1 allows local users to execute arbitrary SQL commands via the "pagedir_orderby" parameter. 2017-04-24 7.5 CVE-2015-7569
MISC(link is external)
FULLDISC
BUGTRAQ(link is external)
EXPLOIT-DB(link is external)
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
_akindo_sushiro_co_ltd -- sushiro Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. 2017-04-21 4.3 CVE-2016-4830
JVN(link is external)
JVNDB(link is external)
BID(link is external)
aeon -- waon WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates. 2017-04-21 4.3 CVE-2016-4832
JVN(link is external)
JVNDB(link is external)
BID(link is external)
akerun -- smart_lock_robot Akerun - Smart Lock Robot App for iOS before 1.2.4 does not verify SSL certificates. 2017-04-21 4.3 CVE-2016-1148
JVN(link is external)
JVNDB(link is external)
CONFIRM(link is external)
apple -- safari WebKit, as used in Safari 5.0.6, allows remote attackers to cause a denial of service (process crash) or arbitrary code execution. 2017-04-24 6.8 CVE-2011-3438
CONFIRM(link is external)
artistscope -- copysafe_web_protection There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings. 2017-04-24 4.3 CVE-2017-8100
MISC
MISC
bro -- bro analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not properly handle zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-read if NDEBUG; otherwise assertion failure) via a crafted DNP3 packet. 2017-04-24 5.0 CVE-2015-1521
CONFIRM(link is external)
bro -- bro analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not reject certain non-zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-read) via a crafted DNP3 packet. 2017-04-24 5.0 CVE-2015-1522
CONFIRM(link is external)
browserweb_inc -- whizz There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing attackers to delete any WordPress users and change the plugin's status via a GET request. 2017-04-24 5.8 CVE-2017-8099
MISC
MISC
concrete5 -- concrete5 concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators. 2017-04-24 4.3 CVE-2017-8082
MISC(link is external)
MISC(link is external)
MISC(link is external)
craftcms -- craft_cms Craft CMS before 2.6.2974 allows XSS attacks. 2017-04-21 4.3 CVE-2017-8052
CONFIRM(link is external)
CONFIRM(link is external)
cybozu -- garoon Cybozu Garoon before 4.2.1 allows remote attackers to cause a denial of service. 2017-04-21 4.0 CVE-2016-1194
JVN(link is external)
JVNDB(link is external)
CONFIRM(link is external)
cybozu -- kintone Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates. 2017-04-21 4.3 CVE-2016-1186
JVN(link is external)
JVNDB(link is external)
BID(link is external)
CONFIRM(link is external)
cybozu -- kunai Cybozu KUNAI for iPhone 2.0.3 through 3.1.5 and for Android 2.1.2 through 3.0.4 does not verify SSL certificates. 2017-04-21 4.3 CVE-2016-1187
JVN(link is external)
JVNDB(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
cybozu -- mailwise Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers. 2017-04-21 4.3 CVE-2016-4841
JVN(link is external)
JVNDB(link is external)
BID(link is external)
CONFIRM(link is external)
d-link -- dvg-n5402sp_firmware Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter. 2017-04-24 5.0 CVE-2015-7245
MISC(link is external)
FULLDISC
EXPLOIT-DB(link is external)
dmm -- ppv_play_player DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. 2017-04-21 4.3 CVE-2016-4829
JVN(link is external)
JVNDB(link is external)
e107 -- e107 e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker. 2017-04-24 4.3 CVE-2017-8098
MISC
MISC(link is external)
exagrid -- ex40000e_firmware ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image. 2017-04-21 5.0 CVE-2016-1561
MISC(link is external)
MISC(link is external)
MISC(link is external)
exponentcms -- exponent_cms In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php. 2017-04-24 4.3 CVE-2017-8085
CONFIRM
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
extplorer -- extplorer Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file. 2017-04-24 6.8 CVE-2016-4313
MISC
MISC(link is external)
BUGTRAQ(link is external)
EXPLOIT-DB(link is external)
fedoraproject -- fedora Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. 2017-04-21 6.8 CVE-2016-0720
FEDORA
FEDORA
REDHAT(link is external)
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
fedoraproject -- fedora Session fixation vulnerability in pcsd in pcs before 0.9.157. 2017-04-21 4.3 CVE-2016-0721
FEDORA
FEDORA
REDHAT(link is external)
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information. 2017-04-21 5.0 CVE-2016-5168
BID(link is external)
CONFIRM
CONFIRM(link is external)
MISC(link is external)
google -- chrome Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.2987.108 for Android allowed a remote attacker to execute arbitrary code via a crafted HTML page. 2017-04-24 6.8 CVE-2017-5030
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. 2017-04-24 6.8 CVE-2017-5031
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome PDFium in Google Chrome prior to 57.0.2987.98 for Windows could be made to increment off the end of a buffer, which allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. 2017-04-24 6.8 CVE-2017-5032
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page. 2017-04-24 4.3 CVE-2017-5033
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. 2017-04-24 6.8 CVE-2017-5034
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Google Chrome prior to 57.0.2987.98 for Windows and Mac had a race condition, which could cause Chrome to display incorrect certificate information for a site. 2017-04-24 6.8 CVE-2017-5035
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to have an unspecified impact via a crafted PDF file. 2017-04-24 6.8 CVE-2017-5036
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. 2017-04-24 6.8 CVE-2017-5037
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac had a use after free bug in GuestView, which allowed a remote attacker to perform an out of bounds memory read via a crafted Chrome extension. 2017-04-24 6.8 CVE-2017-5038
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. 2017-04-24 6.8 CVE-2017-5039
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android was missing a neutering check, which allowed a remote attacker to read values in memory via a crafted HTML page. 2017-04-24 4.3 CVE-2017-5040
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Google Chrome prior to 57.0.2987.100 incorrectly handled back-forward navigation, which allowed a remote attacker to display incorrect information for a site via a crafted HTML page. 2017-04-24 4.3 CVE-2017-5041
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac had a use after free bug in GuestView, which allowed a remote attacker to perform an out of bounds memory read via a crafted Chrome extension. 2017-04-24 6.8 CVE-2017-5043
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome Heap buffer overflow in filter processing in Skia in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. 2017-04-24 6.8 CVE-2017-5044
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome XSS Auditor in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed detection of a blocked iframe load, which allowed a remote attacker to brute force JavaScript variables via a crafted HTML page. 2017-04-24 4.3 CVE-2017-5045
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android had insufficient policy enforcement, which allowed a remote attacker to spoof the location object via a crafted HTML page, related to Blink information disclosure. 2017-04-24 4.3 CVE-2017-5046
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. 2017-04-24 6.8 CVE-2017-5047
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. 2017-04-24 6.8 CVE-2017-5048
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. 2017-04-24 6.8 CVE-2017-5049
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. 2017-04-24 6.8 CVE-2017-5050
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android allowed a remote attacker to perform an out of bounds memory write via a crafted video file, related to ChunkDemuxer. 2017-04-24 6.8 CVE-2017-5051
CONFIRM(link is external)
CONFIRM(link is external)
grandstream -- wave The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/. 2017-04-21 6.8 CVE-2016-1518
MISC(link is external)
BUGTRAQ(link is external)
MISC(link is external)
grandstream -- wave The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. 2017-04-21 4.3 CVE-2016-1519
MISC(link is external)
BUGTRAQ(link is external)
MISC(link is external)
grandstream -- wave The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. 2017-04-21 6.8 CVE-2016-1520
MISC(link is external)
BUGTRAQ(link is external)
MISC(link is external)
heartland_payment_systems -- heartland-php Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2.8.17 is vulnerable to a reflected XSS in examples/consumer-authentication/cruise.php via the URI, as demonstrated by the cavv parameter. 2017-04-21 4.3 CVE-2017-7992
MISC(link is external)
ibm -- maximo_for_government IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors. 2017-04-24 6.5 CVE-2015-0104
CONFIRM(link is external)
BID(link is external)
ibm -- maximo_for_government IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to conduct directory traversal attacks via unspecified vectors. 2017-04-24 4.0 CVE-2015-0107
CONFIRM(link is external)
BID(link is external)
invisionpower -- invision_power_board Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation. 2017-04-23 4.3 CVE-2016-2564
MISC(link is external)
MISC(link is external)
irregex_project -- irregex The backtrack compilation code in the Irregex package (aka IrRegular Expressions) before 0.9.6 for Scheme allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression with a repeating pattern. 2017-04-21 5.0 CVE-2016-9954
MLIST(link is external)
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
jetstar -- jetstar Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2017-04-21 4.3 CVE-2016-1221
JVN(link is external)
JVNDB(link is external)
juniper -- northstar_controller A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to read log files which will compromise the integrity of the system, or provide elevation of privileges. 2017-04-24 4.0 CVE-2017-2318
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious attacker crafting packets destined to the device to cause a persistent denial of service to the path computation server service. 2017-04-24 5.0 CVE-2017-2323
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A command injection vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to cause a denial of service condition. 2017-04-24 5.0 CVE-2017-2324
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A buffer overflow vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to cause a buffer overflow leading to a denial of service. 2017-04-24 4.0 CVE-2017-2325
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller An information disclosure vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, network-based attacker to replicate the underlying Junos OS VM and all data it maintains to their local system for future analysis. 2017-04-24 6.8 CVE-2017-2326
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an authenticated malicious user to consume large amounts of system resources leading to a cascading denial of services. 2017-04-24 4.9 CVE-2017-2327
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, local user, to create a fork bomb scenario, also known as a rabbit virus, or wabbit, which will create processes that replicate themselves, until all resources are consumed on the system, leading to a denial of service to the entire system until it is restarted. Continued attacks by an unauthenticated, local user, can lead to persistent denials of services. 2017-04-24 4.9 CVE-2017-2330
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller A persistent denial of service vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a malicious, network-based, authenticated attacker to consume enough system resources to cause a persistent denial of service by visiting certain specific URLs on the server. 2017-04-24 4.0 CVE-2017-2333
BID(link is external)
CONFIRM(link is external)
juniper -- northstar_controller An information leak vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow a network-based malicious attacker to perform a man-in-the-middle attack, thereby stealing authentic credentials from encrypted paths which are easily decrypted, and subsequently gain complete control of the system. 2017-04-24 4.3 CVE-2017-2334
BID(link is external)
CONFIRM(link is external)
kallithea -- kallithea Kallithea before 0.3.2 allows remote authenticated users to edit or delete open pull requests or delete comments by leveraging read access. 2017-04-24 4.0 CVE-2016-3114
MLIST(link is external)
kallithea -- kallithea Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method. 2017-04-24 6.8 CVE-2016-3691
MLIST(link is external)
lenovo -- lenovo_system_update Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a "temporary administrator account vulnerability." 2017-04-24 6.9 CVE-2015-8109
BID(link is external)
MISC(link is external)
CONFIRM(link is external)
linux -- linux_kernel drivers/media/video/videobuf-vmalloc.c in the Linux kernel before 2.6.24 does not initialize videobuf_mapping data structures, which allows local users to trigger an incorrect count value and videobuf leak via unspecified vectors, a different vulnerability than CVE-2010-5321. 2017-04-24 4.6 CVE-2007-6761
CONFIRM(link is external)
BID(link is external)
MISC
CONFIRM
CONFIRM(link is external)
linux -- linux_kernel The video_usercopy function in drivers/media/video/v4l2-ioctl.c in the Linux kernel before 2.6.39 relies on the count value of a v4l2_ext_controls data structure to determine a kmalloc size, which might allow local users to cause a denial of service (memory consumption) via a large value. 2017-04-24 4.9 CVE-2010-5329
MISC
MLIST(link is external)
BID(link is external)
MISC
MISC(link is external)
mybb -- mybb In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event. 2017-04-24 4.3 CVE-2017-8103
MISC
MISC(link is external)
mybb -- mybb In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter. 2017-04-24 5.0 CVE-2017-8104
MISC
BID(link is external)
MISC(link is external)
netgear -- wnap320_firmware Netgear WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0 reveal wireless passwords and administrative usernames and passwords over SNMP. 2017-04-21 5.0 CVE-2016-1557
MISC(link is external)
FULLDISC
CONFIRM(link is external)
netgear -- wndap210v2_firmware Information disclosure in Netgear WN604 before 3.3.3; WNAP210, WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0; and WND930 before 2.0.11 allows remote attackers to read the wireless WPS PIN or passphrase by visiting unauthenticated webpages. 2017-04-21 5.0 CVE-2016-1556
MISC(link is external)
FULLDISC
CONFIRM(link is external)
netiq -- access_manager An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 and 4.3 exists because Access Gateway Error pages do not validate the HTTP Referer header. 2017-04-24 4.3 CVE-2017-5191
CONFIRM(link is external)
ntt -- photopt Photopt for Android before 2.0.1 does not verify SSL certificates. 2017-04-21 4.3 CVE-2016-1198
JVN(link is external)
JVNDB(link is external)
CONFIRM(link is external)
opendaylight -- opendaylight Denial of Service attack when the switch rejects to receive packets from the controller. Component: This vulnerability affects OpenDaylight odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. Version: OpenDaylight versions 3.3 and 4.0 are affected by this flaw. Java version is openjdk version 1.8.0_91. 2017-04-24 5.0 CVE-2017-1000357
MISC(link is external)
opendaylight -- opendaylight Controller throws an exception and does not allow user to add subsequent flow for a particular switch. Component: OpenDaylight odl-restconf feature contains this flaw. Version: OpenDaylight 4.0 is affected by this flaw. 2017-04-24 4.0 CVE-2017-1000358
MISC(link is external)
op