*** 출처: [현대경제연구원] 2018년 주요 산업별 경기 전망과 시사점

 

 

 

 

■ 2018년 주요 산업별 경기 전망

 

 

○ 건설업

 

- SOC 예산 축소로 공공부문 수주가 줄어들고 건축부문 부동산 규제 강화 등으로 민간부문 수주도 둔화세 지속 전망

 

 

○ ICT 제조업

 

- 여타 기기들의 성장세 정체에도 불구하고, 반도체 부문 주도의 ICT 제조업 성장이 지속되며 호황 전망

 

 

○ 자동차 산업

 

- 선진국과 신흥국의 동반 성장세, 신차효과 등으로 생산과 수출 증가가 예상되나 통상마찰 리스크, 글로벌 업체 간 경쟁 심화 등으로 증가폭은 크지 않고 내수는 소폭 증가 전망

 

 

○ 철강 산업

 

- 글로벌 과잉공급이 일부 해소되면서 수출 경기의 회복세 유지에도 불구하고 내수 부진 지속으로 미약한 회복세 지속 전망

 

 

○ 석유화학 산업

 

- 글로벌 경기 회복이 수출 증가를 견인하겠으나 중국 성장 둔화, 내수 정체, 원가 경쟁력 악화 등의 요인으로 경기 소폭 둔화 전망

 

 

○ 조선업

 

- 글로벌 물동량 증가, 국제유가 상승, 선박 공급과잉 해소 등에도 불구하고, 신규 수주 물량의 미약한 증가 및 수출 소폭 감소 등 미약한 회복세 전망

 

 

○ 기계 산업

 

- 국내 설비투자 둔화 등의 제약 요인에도 불구하고, 글로벌 경기 회복 및 해외 수요 확대로 생산 증가 등 회복세 유지 전망

Posted by manga0713

 

 

 

*** 출처: [LG경제연구원] 2018년 국내외 경제전망

 

 

 

 

■ 세계 경기 흐름

 

 

○ 투자에서 소비로 성장 주도 부문 변화

 

○ 세계경제 성장속도 완만하게 낮아질 전망

 

 

 

■ 주요 지역 전망

 

 

○ 미국: 고용증대를 통한 소비확대의 한계

 

○ 유로존: 2% 성장 지속은 어려울 듯

 

○ 일본: 인력난에 따른 생산차질이 성장제약

 

○ 중국: 안정 성장 중시 정책으로 완만한 성장 둔화

 

○ BRICs: 경기 회복 흐름 이어질 전망

 

 

 

■ 유가·국제금융

 

 

○ 국제유가: 배럴당 50달러 수준 유지하는 가운데 급락 리스크 상존

 

○ 국제금리: 주요국의 점진적 통화긴축으로 완만한 상승세 전망

 

○ 국제환율: 유로화 강세, 엔화 보합, 위안화는 완만한 약세 예상

 

 

 

■ 국내경기 흐름

 

 

○ 투자활력 낮아지며 경제성장세 저하

 

 

 

 

 

 

 

■ 수요 부문별 전망

 

 

○ 소비: 소비성향 반등하며 완만한 회복세

 

○ 건설투자: 마이너스 성장으로 전환

 

○ 설비투자: IT 주도 투자 증가세 점차 둔화

 

○ 수출: 가격 상승 효과 사라지면서 통관 수출 증가율 저하

 

 

 

■ 고용·물가

 

 

○ 고용: 건설경기 둔화로 취업자 증가세 둔화

 

○ 물가: 2% 수준에서 안정

 

 

 

■ 국내금융

 

 

○ 국내금리: 국제금리 상승세와 기준금리 인상으로 완만한 상승

 

○ 원화환율: 내년 달러당 1,130원 전망

Posted by manga0713

 

 

 

*** 출처: [IITP 정보통신기술진흥센터] 4차 산업혁명 혁신 기술 도출 체계 - 이민경, 임진양, 조일구

*** 문서:

file8604853083490350364-182802.pdf

 

 

 

 

 

■ 본 고는 국내 R&D 정책에 직접 활용이 가능하도록 4차 산업혁명의 키워드를 고려하여 부상하는 기술을 선별하고 이를 토대로 기술경쟁력 조사 분석 및 기술정책 수립 등 R&D 방향성 도출에 활용하기 위해 4차 산업혁명 기술 도출 체계와 관련 기술을 소개한다.

 

 

 

■ 10대 혁신기술

 

 

 

 

 

 

○ 4차 산업혁명의 혁신기술은 핵심선도, 기반, 응용 등 3대 중점분야 10대 기술로 체계화할 수 있다.

 

 

○ 핵심선도 기술: 4차 산업혁명을 촉발시켜 혁신적인 사회경제 변화를 가져올 수 있는 필수 범용 기술

 

- IoT(스마트센서, CPS 포함), 빅데이터·클라우드, AI, 3D 프린팅, 지능형 로봇

 

 

○ 기반기술: 4차 산업혁명의 핵심선도 및 응용기술을 구현하기 위한 빠른 성능 향상과 확산에 필요한 기술

 

- 인프라기술(정보보호, 모바일, 고속 네트워크)과 기초과학

 

 

○ 응용기술: 4차 산업혁명의 핵심 선도기술과의 융합을 통한 각 산업의 생산성 제고, 난제 해결 등 혁명적 변화를 위한 응용과학(제품) 기술

 

- 유전체 분석(산업수학+빅데이터+질병치료), 자율주행차(네트워크+IoT, AI, 빅데이터, 클라우드+자동차)

 

 

 

■ 5대 핵심 선도기술

 

 

○ 10대 혁신기술 중 기술의 핵심성, 활용성, 기반성을 바탕으로 선정하였다.

 

- 인공지능, IoT, 빅데이터·클라우드, 3D 프린팅, 지능형 로봇

 

 

 

 

 

 

 

- 빅데이터, 인공지능, 클라우드 컴퓨팅 간 관계

 

 

 

Posted by manga0713

[이미지출처: bible and knowledge "히스기야_하나님의 힘, 여호와는 강하심"]

 

 

 

 

 

본문말씀 : 이사야 36장 13-22절

13.이에 랍사게가 일어서서 유다 방언으로 크게 외쳐 이르되 너희는 대왕 앗수르 왕의 말씀을 들으라 14.왕의 말씀에 너희는 히스기야에게 미혹되지 말라 그가 능히 너희를 건지지 못할 것이니라 15.히스기야가 너희에게 여호와를 신뢰하게 하려는 것을 따르지 말라 그가 말하기를 여호와께서 반드시 우리를 건지시리니 이 성이 앗수르 왕의 손에 넘어가지 아니하리라 할지라도 16.히스기야의 말을 듣지 말라 앗수르 왕이 또 이같이 말씀하시기를 너희는 내게 항복하고 내게로 나아오라 그리하면 너희가 각각 자기의 포도와 자기의 무화과를 먹을 것이며 각각 자기의 우물 물을 마실 것이요 17.내가 와서 너희를 너희 본토와 같이 곡식과 포도주와 떡과 포도원이 있는 땅에 옮기기까지 하리라 18.혹시 히스기야가 너희에게 이르기를 여호와께서 우리를 건지시리라 할지라도 속지 말라 열국의 신들 중에 자기의 땅을 앗수르 왕의 손에서 건진 자가 있느냐 19.하맛과 아르밧의 신들이 어디 있느냐 스발와임의 신들이 어디 있느냐 그들이 사마리아를 내 손에서 건졌느냐 20.이 열방의 신들 중에 어떤 신이 자기의 나라를 내 손에서 건져냈기에 여호와가 능히 예루살렘을 내 손에서 건지겠느냐 하셨느니라 하니라 21.그러나 그들이 잠잠하여 한 말도 대답하지 아니하였으니 이는 왕이 그들에게 명령하여 대답하지 말라 하였음이었더라 22.그 때에 힐기야의 아들 왕궁 맡은 자 엘리아김과 서기관 셉나와 아삽의 아들 사관 요아가 자기의 옷을 찢고 히스기야에게 나아가서 랍사게의 말을 그에게 전하니라

큰 문제를 극복하는 길 (이사야 36장 11-22절)

1. 믿음을 잃지 말라

 유다의 항복을 요구하던 앗수르 장수 랍사게는 외교 언어인 아람 방언이 아닌 유다 방언으로 하나님의 뜻을 내세우며 위협했다. 랍사게의 말을 듣고 유다 사절들은 사기가 꺾인 채 그 말이 백성들에게 미칠 심리적인 충격을 생각하고 비굴하게 랍사게에게 유다 방언이 아닌 아람 방언으로 말해줄 것을 요청했다(11절). 그 요청을 일언지하에 거절하고 랍사게는 호기를 부리며 더 협박했다(12절). 두려운 현실에서 두려움을 보이면 사탄이 더 신나게 찾아와 위협한다. 믿음이란 두려울 때를 위해 있는 것이다. 두려움에 빠지지 말라.

 진리의 길에 있기만 하면 매 순간이 은혜의 때가 된다. 어둠에 길들여지기를 거부하면 늘 고난이 따르지만 감당할만한 고난이다. 운명에 매여 살기보다 자유로운 세상의 비전을 가지고 사는 것이 소중하기 때문이다. 하나님께 소중한 존재는 사탄에게는 극렬하게 미운 존재이기에 고난이 따르지만 고난을 두려워하지 말라. 두려워하면 문제 앞에서 쉽게 무너지지만 믿음으로 굳게 서면 결국 문제는 사라진다.

 성도란 어둠에 길들여질 수 없는 존재다. 어둠의 질서를 거부하면 죽음과 같은 극심한 시련의 순간을 겪는다. 세례 요한이나 예수님도 그런 순간을 겪었다. 중요한 것은 어려움 중에도 자유를 향한 꿈과 거룩한 비전을 포기하지 않았다는 사실이다. 거북함과 두려움으로 인해 포기하고 싶은 마음을 떨쳐내는 사람은 실패했어도 실패자가 아니다. 하나님의 뜻에 자신을 바치겠다고 각오하면 사탄과 사람도 두렵지 않고 사건과 사고도 두렵지 않게 된다.

2. 회유에 넘어가지 말라

 유다 백성들의 두려운 마음을 읽고 랍사게는 더 신나서 큰소리로 히스기야의 말을 믿지 말고 항복해야 포도와 무화과를 먹고 우물물을 마시게 될 것이라고 했다(13-16절). 더 나아가 유다 백성들을 먹을 것과 마실 것이 풍부한 땅으로 옮겨주겠다고 회유했다(17절). 물론 하나님의 뜻이 항복에 있다면 항복할 수도 있지만 일시적인 안위를 위해 회유에 넘어가면 대개 비참한 결말로 끝난다.

 잘못된 회유에 넘어가 영혼과 인격과 믿음을 팔지 말라. 내일의 축복도 팔지 말라. 무조건 순교의 길을 가야 한다는 순교 콤플렉스를 가지고 무조건 타협을 거부하고 개죽음을 맞이해도 안 되지만 육신적인 안일과 유익을 위해 잘못된 회유에 넘어가도 안 된다. 잘못된 회유에 넘어가면 사는 길이 죽는 길이 된다. 반대로 하나님의 뜻 안에서 죽는 길을 마다하지 않으면 그때는 죽는 길이 사는 길이 된다.

 예수님은 하나님의 뜻대로 아름답고 풍성한 삶을 사셨다. 예수님은 33년의 짧은 생애를 살면서 모든 삶의 순간을 빛 가운데 사셨고 하나님의 뜻을 이루는 데 온전히 자신을 드렸다. 만나는 모든 사람을 하나님이 맡기신 보화로 여기고 그들을 위해 자기 생명을 죽음의 십자가에 드리신 후 결국 부활하셨다. 거룩한 뜻을 위해 자기를 바치는 것은 죽음의 늪에 빠지는 것이 아니라 하나님의 품에 안기는 것이다.

3. 성급히 나서지 말라

 랍사게의 말을 듣고 유다 사절들은 잠잠히 침묵했다. 히스기야 왕이 랍사게의 요구에 어떤 대답도 하지 말고 침착하게 대응하라고 했기 때문이다. 그들에게는 내면의 상처와 끓는 분노가 있었지만 랍사게 앞에서 잠시 침묵했다. 그런 침묵도 필요하다. 성급하게 나서면 상황이 더 악화될 수 있다. 좋은 뜻을 좋은 열매로 만들기 위해서는 잠시 침묵하는 순간을 인내로 견뎌내라. 무조건 바로 반응하는 것이 좋은 것만은 아니다.

 무슨 일이든 너무 성급히 나서지 말라. 성급함은 광기의 바람에 내몰리게 할 수 있다. 찬찬히 자기를 돌아볼 수 있어야 세상을 보는 현실안도 생기고 미래를 보는 미래안도 생긴다. 좋은 일도 너무 성급히 하지 말고 분노의 감정도 너무 성급히 나타내지 말라. 큰 문제가 닥쳤을 때 오히려 감정을 절제하고 하나님 앞에서 자기를 빚어가면서 내일의 사역과 축복을 도모하라. 하나님의 때에 나서야 더욱 복된 열매가 삶과 사역에 넘치게 된다.

 선악을 분별하는 분별력이 필요하듯이 나설 때와 들어설 때를 아는 분별력과 전진할 때와 후퇴할 때를 아는 분별력도 필요하다. 믿음 안에서의 고독과 침묵과 후퇴는 하나님이 대신 일해주심으로 오히려 인생의 가장 큰 전진과 성숙의 때가 될 수 있다. 인생에는 고음의 때도 필요하지만 저음의 때도 필요하다. 믿음 안에서의 ‘고독’과 ‘침묵’과 ‘후퇴’란 저음의 삼중창을 통해 큰 문제를 능히 극복하고 더욱 높이 올라서는 복된 존재가 되라.

ⓒ 이한규목사  http://www.john316.or.kr

Posted by manga0713

 

 

Posted by manga0713

 

 

 

*** 책받기:

 

제5회 과학기술예측조사 미래 시나리오 2042년, 우리는 무슨 일을 하고 있을까.vol1.egg

제5회 과학기술예측조사 미래 시나리오 2042년, 우리는 무슨 일을 하고 있을까.vol2.egg

 

 

 

 

25년 후,

미래기술이 바꿔놓을 우리 아이들의 세상을 소개합니다!

 

 

앞으로 펼쳐질 세상은 어떤 모습일까요?


위험한 재난상황에 처했을 때 SF영화 속 영웅들처럼 로봇이 우리를 구해주고, 무슨 문제든 척척 해결하는 천재적인 인공지능 동료와 함께 일하는 세상을 꿈꿔 본 적이 있나요? 저 멀리 달에서 지구에 계신 부모님을 생각하며 일하게 될지도 모를 일이죠. 이런 세상은 정말 가능할까요? 가능하다면 언제쯤이 될까요?


이러한 궁금증을 풀어주기 위해 우리나라에서는 5년마다 ‘과학기술예측조사’를 실시하고 있답니다. 과학기술예측조사는 우리 사회가 맞이하게 될 여러 변화와 그 이유, 문제점을 다양하게 검토하는 것에서 시작합니다. 우선 이러한 변화에 잘 적응할 방법과 혹시 발생할 수 있는 문제점을 해결하는 데 필요한 기술들을 살펴보게 되죠. 그다음, 우리의 과학기술 발전 상황에 맞춰 언제쯤 그 기술들이 우리 생활 속 깊숙이 들어오게 될지 함께 생각해보는 겁니다.

 

 

 

 

■ 책 속에 소개된 미래기술들 (부록에 표로 정리되어 있음)

 

 

- 전기자동차용 자동 무선충전 주차장

 

- 실시간 노면상태 파악 및 차량 제어 기술

 

- 인공지능 활용 교통 제어 기술

 

- 모바일 기기용 롤러블 디스플레이 기술

 

- 개인별 상황 및 라이프로그 이해형 개인비서 소프트웨어

 

- 재난 대응 및 인명 구조로봇

 

- 웨어러블형 재활보조 로봇

 

- 로봇의 안전한 관리를 위한 로봇 지능 통제 기술

 

- 3D 프린팅 특화 설계 기술

 

- 에너지 자급자족용 메가빌딩 설계·시공 기술

 

- 디지털 도면 정보 기반 초고층 건축물용 자동 시공 로봇

 

- 플렉서블 디스플레이 발광층용 무독성 원소 기반의 양자점 소재 및 공정기술

 

- 태양광 발전 및 에너지 능동 대응형 건축물 외장재 기술

 

- Zero-Waste 도시 구현을 위한 생활 폐기물 수집·이송·분류 시스템 및 자원화·에너지화 공정

 

- 의류·액세서리 내재형 대기·수질 분석 센서를 활용한 도심 미세먼지 및 수질 관리 기술

 

- 재생에너지 및 다중 취수원을 활용한 물 자립형 도시 구축 기술

 

- 자가 학습형 다국어 자동 번역 및 통역 기술

 

- 유전자 편집기술을 이용한 고기능성 신품종 개발 기술

 

- 인공지능과 빅데이터 클라우드 시스템을 이용한 스마트 팜

 

- 환경 내성 GM(유전자변형) 신품종 개발 기술

 

- 암 바이오마커 나노칩 혈액 진단 키트 기술

 

- 정밀의료 기반 질병 예측 및 사전진단 기술

 

- 이온을 활용하여 장기간 안전하게 사용할 수 있는 스마트 약

 

- 실시간 생체정보 인식 및 통신 가능 인체삽입형 디바이스

 

- 노약자를 위한 원격 모니터링 e-헬스케어 플랫폼

 

- 3D 프린팅을 이용한 맞춤형 인공장기 제조 기술

 

- 가상현실 및 3D 프린터 기술을 활용한 가상 의료시술 기술

 

- 유전자 가위 기술을 이용한 질병 유전자 치료 기술

 

- 달 및 화성의 유인기지 구축 기술

 

- 우주쓰레기 처리 기술

 

- 우주 환경에서 재배 가능한 작물 개발 기술

 

- 소행성 및 달의 우주 자원 채굴 기술

 

- 우주 환경용 무중력 3D 프린팅 기술

 

- 지능적 상황 극복 오지 탐사 로봇

 

- 난조건 하에서 단시간에 최적의 임무 수행을 위한 자율 합체·분리형 로봇

 

- 기종점간(Door-to-Door) 운행이 가능한 자율주행 자동차

 

- 마이크로 가스터빈 기술을 활용한 고성능 자동차 엔진

 

- 초고층 건물·지하 대공간 내 고속 수직·수평 3차원 궤도 시스템

 

- 자가 진단이 가능한 시설물 손상·열화 계측용 스마트 도료 및 재료

 

- 구조물의 손상부위에 맞춤형인 복원물을 자동으로 제작하는 기술

 

- 우주 태양광 발전 기술

 

- 환경, 감염병, 재해 등 전 지구적 이슈를 상호 연계·분석하는 통합 모델링 및 시뮬레이션 소프트웨어

 

- DNA 칩 기반 대용량 데이터 저장 및 정보 관리 기술

 

- 초고속 연산을 위한 양자 컴퓨팅 기술

 

- 생태계 조절용 강우 제어 시스템

 

- 인간 두뇌를 모사한 뉴로모픽 컴퓨팅

 

- 온실가스 무배출 수소환원 제철 기술

 

- 해저 열수 광물자원 개발 기술

 

- 대기 중 이산화탄소 직접 포집 인공나무

 

- 포집된 이산화탄소를 활용한 제품 생산 및 공정 원료 대체 등 탄소자원화 기술

 

- 인공광합성이 가능한 나노구조 광촉매 개발 기술

 

- 3차원 시각 및 촉각을 자극시키는 햅틱 홀로그램 기술

 

- 환경에 따라 콘택츠렌즈의 도수가 변화하여 시력을 최적화 시키는 기술

 

- 외부 환경 감지·적응·보호 기능의 생체 감각기관 및 피부 제조 3D 프린팅 기술

 

- 극한 환경용 융합 소재

 

- 미생물 촉매를 이용한 바이오수소 생산 기술

 

- 멀티 모달 딥러닝 소프트웨어

 

- 개인용 자율비행 항공기

 

- 개인유전자 지도를 이용한 맞춤형 이종 인공장기 배양 시스템

 

- 역분화 줄기세포를 이용한 생체모사형 인공장기 기술

 

- 노화유도 물질의 조절을 통한 노화 억제

 

- 맞춤형 생체 내(in vivo) 손상 장기 복원 기술

 

- 인간-기계 상호적응형 뇌-컴퓨터 인터페이스 기술

 

- 완전 이식형 신경접속장치

 

- 기억 스캔, 저장 및 조정 기술

 

- 인간 인지의 보완 및 향상을 위해 스스로 학습하는 웨어러블 인공두뇌

 

- 파이프라인을 이용한 캡술형 초고속 열차 시스템

 

 

 

**** 본 저작물은 과학기술정보통신부, 한국과학기술기획평가원(KISTEP) 홈페이지에서 다운받을 수 있습니다.

 

Posted by manga0713

 

 

 

*** 출처: [US-CERT: Bulletin(SB17-359)] 2017년 12월 18일까지 발표된 보안 취약점

 

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
k7computing -- antivirus K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025ac DeviceIoControl request. 2017-12-15 7.5 CVE-2017-17699
MISC(link is external)
k7computing -- antivirus K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025a4 DeviceIoControl request. 2017-12-15 7.5 CVE-2017-17700
MISC(link is external)
k7computing -- antivirus K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025c8 DeviceIoControl request. 2017-12-15 7.5 CVE-2017-17701
MISC(link is external)
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
techno_-_portfolio_management_panel_project -- techno_-_portfolio_management_panel Techno - Portfolio Management Panel through 2017-11-16 does not check authorization for panel/portfolio.php?action=delete requests that remove feedback. 2017-12-15 4.0 CVE-2017-17693
MISC(link is external)
techno_-_portfolio_management_panel_project -- techno_-_portfolio_management_panel Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter. 2017-12-15 6.5 CVE-2017-17695
MISC(link is external)
techno_-_portfolio_management_panel_project -- techno_-_portfolio_management_panel Techno - Portfolio Management Panel through 2017-11-16 allows full path disclosure via an invalid s parameter to panel/search.php. 2017-12-15 4.0 CVE-2017-17696
MISC(link is external)
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
techno_-_portfolio_management_panel_project -- techno_-_portfolio_management_panel Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter. 2017-12-15 3.5 CVE-2017-17694
MISC(link is external)
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
abb -- ellipse
 
An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol. An attacker could exploit the vulnerability by sniffing local network traffic, allowing the discovery of authentication credentials. 2017-12-20 not yet calculated CVE-2017-16731
MISC
apache -- drill
 
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards. 2017-12-18 not yet calculated CVE-2017-12630
MLIST
apache -- sling_authentication_service
 
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over their credentials. 2017-12-18 not yet calculated CVE-2017-15700
MLIST
bitdefender -- bitdefender
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender Internet Security 2018. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within emulator 0x102 in cevakrnl.xmd. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. Was ZDI-CAN-5116. 2017-12-21 not yet calculated CVE-2017-17410
MISC(link is external)
bitdefender -- bitdefender
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender Internet Security 2018. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within emulator 0x10A in cevakrnl.xmd. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. Was ZDI-CAN-5102. 2017-12-21 not yet calculated CVE-2017-17409
MISC(link is external)
bitdefender -- bitdefender
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Bitdefender Internet Security 2018. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within cevakrnl.xmd. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code under the context of SYSTEM. Was ZDI-CAN-5101. 2017-12-21 not yet calculated CVE-2017-17408
MISC(link is external)
blogotext -- blogotext
 
validate_form_preferences in admin/preferences.php in BlogoText through 3.7.6 allows attackers to bypass intended access restrictions via vectors related to an e-mail address field. 2017-12-20 not yet calculated CVE-2017-17794
CONFIRM(link is external)
CONFIRM(link is external)
blogotext -- blogotext
 
Cross site scripting (XSS) vulnerability in the markup_clean_href function in inc/conv.php in BlogoText through 3.7.6 allows remote attackers to inject arbitrary JavaScript via a comment. 2017-12-20 not yet calculated CVE-2017-17792
CONFIRM(link is external)
CONFIRM(link is external)
blogotext -- blogotext
 
Information Disclosure vulnerability in creer_fichier_zip in admin/maintenance.php in BlogoText through 3.7.6 allows remote attackers to defeat a filename-randomization protection mechanism, and read backup archives on Windows servers, by providing the archiv~1.zip name (aka an 8.3 filename). 2017-12-20 not yet calculated CVE-2017-17793
CONFIRM(link is external)
CONFIRM(link is external)
brightsign -- brightsign_digital_signage
 
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has XSS via the REF parameter to /network_diagnostics.html or /storage_info.html. 2017-12-18 not yet calculated CVE-2017-17737
MISC(link is external)
brightsign -- brightsign_digital_signage
 
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) allows renaming and modifying files via /tools.html. 2017-12-18 not yet calculated CVE-2017-17738
MISC(link is external)
brightsign -- brightsign_digital_signage
 
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files. 2017-12-18 not yet calculated CVE-2017-17739
MISC(link is external)
cambium_networks -- epmp_firmware
 
Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack CSRF controls that can mitigate the effects of CSRF attacks, which are most typically implemented as randomized per-session tokens associated with any web application function, especially destructive ones. 2017-12-20 not yet calculated CVE-2017-5263
MISC(link is external)
cambium_networks -- epmp_firmware
 
In version 3.5 and prior of Cambium Networks ePMP firmware, an attacker who knows (or guesses) the SNMP read/write (RW) community string can insert XSS strings in certain SNMP OIDs which will execute in the context of the currently-logged on user. 2017-12-20 not yet calculated CVE-2017-5257
MISC(link is external)
cambium_networks -- epmp_firmware
 
In version 3.5 and prior of Cambium Networks ePMP firmware, all authenticated users have the ability to update the Device Name and System Description fields in the web administration console, and those fields are vulnerable to persistent cross-site scripting (XSS) injection. 2017-12-20 not yet calculated CVE-2017-5256
MISC(link is external)
cambium_networks -- epmp_firmware
 
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the 'ping' and 'traceroute' functions of the web administrative console expose a file path traversal vulnerability, accessible to all authenticated users. 2017-12-20 not yet calculated CVE-2017-5261
MISC(link is external)
cambium_networks -- epmp_firmware
 
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, the SNMP read-only (RO) community string has access to sensitive information by OID reference. 2017-12-20 not yet calculated CVE-2017-5262
MISC(link is external)
cambium_networks -- epmp_firmware
 
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, although the option to access the configuration file is not available in the normal web administrative console for the 'user' account, the configuration file is accessible via direct object reference (DRO) at http://<device-ip-or-hostname>/goform/down_cfg_file by this otherwise low privilege 'user' account. 2017-12-20 not yet calculated CVE-2017-5260
MISC(link is external)
cambium_networks -- epmp_firmware
 
In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root. 2017-12-20 not yet calculated CVE-2017-5255
MISC(link is external)
cambium_networks -- epmp_firmware
 
In version 3.5 and prior of Cambium Networks ePMP firmware, the non-administrative users 'installer' and 'home' have the capability of changing passwords for other accounts, including admin, after disabling a client-side protection mechanism. 2017-12-20 not yet calculated CVE-2017-5254
MISC(link is external)
cambium_networks -- epmp_firmware
 
In version 3.5 and prior of Cambium Networks ePMP firmware, an attacker who knows or can guess the RW community string can provide a URL for a configuration file over SNMP with XSS strings in certain SNMP OIDs, serve it via HTTP, and the affected device will perform a configuration restore using the attacker's supplied config file, including the inserted XSS strings. 2017-12-20 not yet calculated CVE-2017-5258
MISC(link is external)
cambium_networks -- epmp_firmware
 
In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, an undocumented, root-privilege administration web shell is available using the HTTP path https://<device-ip-or-hostname>/adm/syscmd.asp. 2017-12-20 not yet calculated CVE-2017-5259
MISC(link is external)
cisco -- asa
 
A vulnerability in the TLS protocol implementation of legacy Cisco ASA 5500 Series (ASA 5505, 5510, 5520, 5540, and 5550) devices could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions. Cisco Bug IDs: CSCvg97652. 2017-12-15 not yet calculated CVE-2017-12373
BID(link is external)
CONFIRM(link is external)
cms_made_simple -- cms_made_simple 
 
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies. 2017-12-18 not yet calculated CVE-2017-17735
CONFIRM
CONFIRM
cms_made_simple -- cms_made_simple 
 
CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions. 2017-12-18 not yet calculated CVE-2017-17734
CONFIRM
CONFIRM
code_crafters -- ability_mail_server
 
Ability Mail Server 3.3.2 has Cross Site Scripting (XSS) via the body of an e-mail message, with JavaScript code executed on the Read Mail screen (aka the /_readmail URI). This is fixed in version 4.2.4. 2017-12-20 not yet calculated CVE-2017-17752
EXPLOIT-DB(link is external)
conarc -- ichannel
 
Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request (which reaches an older version of a West Wind Web Connection HTTP service). 2017-12-19 not yet calculated CVE-2017-17759
MISC(link is external)
dedecms -- dedecms
 
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. 2017-12-18 not yet calculated CVE-2017-17731
MISC(link is external)
dedecms -- dedecms
 
DedeCMS through 5.6 allows arbitrary file upload and PHP code execution by embedding the PHP code in a .jpg file, which is used in the templet parameter to member/article_edit.php. 2017-12-18 not yet calculated CVE-2017-17727
MISC
dedecms -- dedecms
 
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. 2017-12-18 not yet calculated CVE-2017-17730
MISC(link is external)
ecava -- integraxor
 
A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which generates an error in the database log. 2017-12-20 not yet calculated CVE-2017-16735
MISC
ecava -- integraxor
 
A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which an attacker can leverage to disclose sensitive information from the database. 2017-12-20 not yet calculated CVE-2017-16733
MISC
emc -- data_domain
 
An issue was discovered in EMC Data Domain DD OS 5.7 family, versions prior to 5.7.5.6; EMC Data Domain DD OS 6.0 family, versions prior to 6.0.2.9; EMC Data Domain DD OS 6.1 family, versions prior to 6.1.0.21; EMC Data Domain Virtual Edition 2.0 family, all versions; EMC Data Domain Virtual Edition 3.0 family, versions prior to 3.0 SP2 Update 1; and EMC Data Domain Virtual Edition 3.1 family, versions prior to 3.1 Update 2. EMC Data Domain DD OS contains a memory overflow vulnerability in SMBv1 which may potentially be exploited by an unauthenticated remote attacker. An attacker may completely shut down both the SMB service and active directory authentication. This may also allow remote code injection and execution. 2017-12-20 not yet calculated CVE-2017-14385
CONFIRM
SECTRACK(link is external)
emc -- isilon_onfs
 
The NFS service in EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, and 8.0.0.0 - 8.0.0.4 maintains default NFS export settings (including the NFS export security flavor for authentication) that can be leveraged by current and future NFS exports. This NFS service contained a flaw that did not properly propagate changes made to the default security flavor to all new and existing NFS exports that are configured to use default NFS export settings and that are mounted after those changes are made. This flaw may potentially allow NFS clients to access affected NFS exports using the default and potentially weaker security flavor even if a more secure one was selected to be used by the OneFS administrator, aka an "NFS Export Security Setting Fallback Vulnerability." 2017-12-20 not yet calculated CVE-2017-14387
CONFIRM
f5 -- big-ip_afm
 
A SQL injection vulnerability exists in the BIG-IP AFM management UI on versions 12.0.0, 12.1.0, 12.1.1, 12.1.2 and 13.0.0 that may allow a copy of the firewall rules to be tampered with and impact the Configuration Utility until there is a resync of the rules. Traffic processing and the live firewall rules in use are not affected. 2017-12-21 not yet calculated CVE-2017-0304
SECTRACK(link is external)
CONFIRM(link is external)
f5 -- big-ip_apm
 
In F5 BIG-IP APM software version 13.0.0 and 12.1.2, in some circumstances, APM tunneled VPN flows can cause a VPN/PPP connflow to be prematurely freed or cause TMM to stop responding with a "flow not in use" assertion. An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group. 2017-12-21 not yet calculated CVE-2017-6129
CONFIRM(link is external)
f5 -- big-ip_apm
 
In F5 BIG-IP APM software versions 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, 11.6.1, 12.0.0, 12.1.0, 12.1.1 and 12.1.2 BIG-IP APM portal access requests do not return the intended resources in some cases. This may allow access to internal BIG-IP APM resources, however the application resources and backend servers are unaffected. 2017-12-21 not yet calculated CVE-2017-0301
SECTRACK(link is external)
CONFIRM(link is external)
f5 -- big-ip_apm
 
In F5 BIG-IP APM software version 13.0.0 and 12.1.2, under rare conditions, the BIG-IP APM system appends log details when responding to client requests. Details in the log file can vary; customers running debug mode logging with BIG-IP APM are at highest risk. 2017-12-21 not yet calculated CVE-2017-6139
CONFIRM(link is external)
f5 -- multiple_products In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, undisclosed requests made to BIG-IP virtual servers which make use of the "HTTP/2 profile" may result in a disruption of service to TMM. 2017-12-21 not yet calculated CVE-2017-6151
CONFIRM(link is external)
f5 -- multiple_products In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, a slow memory leak as a result of undisclosed IPv4 or IPv6 packets sent to BIG-IP management port or self IP addresses may lead to out of memory (OOM) conditions. 2017-12-21 not yet calculated CVE-2017-6135
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, 12.1.0 - 12.1.2 and 11.5.1 - 11.6.1, an undisclosed sequence of packets, sourced from an adjacent network may cause TMM to crash. 2017-12-21 not yet calculated CVE-2017-6134
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.0.0 - 12.1.2, undisclosed traffic patterns sent to BIG-IP virtual servers, with the TCP Fast Open and Tail Loss Probe options enabled in the associated TCP profile, may cause a disruption of service to the Traffic Management Microkernel (TMM). 2017-12-21 not yet calculated CVE-2017-6136
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and Websafe software version 13.0.0, 12.0.0 to 12.1.2, 11.6.0 to 11.6.1 and 11.5.0 - 11.5.4, an undisclosed sequence of packets sent to BIG-IP High Availability state mirror listeners (primary and/or secondary IP) may cause TMM to restart. 2017-12-21 not yet calculated CVE-2017-6132
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, 12.0.0 - 12.1.2, 11.6.0 - 11.6.1 and 11.5.0 - 11.5.4, in some circumstances, Traffic Management Microkernel (TMM) does not properly handle certain malformed TLS1.2 records, which allows remote attackers to cause a denial-of-service (DoS) or possible remote command execution on the BIG-IP system. 2017-12-21 not yet calculated CVE-2017-6164
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies. 2017-12-21 not yet calculated CVE-2017-6138
CONFIRM(link is external)
f5 -- multiple_products
 
On the BIG-IP 2000s, 2200s, 4000s, 4200v, i5600, i5800, i7600, i7800, i10600,i10800, and VIPRION 4450 blades, running version 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, 11.6.1, 12.0.0, 12.1.0, 12.1.1 or 12.1.2 of BIG-IP LTM, AAM, AFM, Analytics, ASM, DNS, GTM or PEM, an undisclosed sequence of packets sent to Virtual Servers with client or server SSL profiles may cause disruption of data plane services. 2017-12-21 not yet calculated CVE-2017-6140
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, undisclosed HTTP requests may cause a denial of service. 2017-12-21 not yet calculated CVE-2017-6133
CONFIRM(link is external)
f5 -- multiple_products
 
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, race conditions in iControl REST may lead to commands being executed with different privilege levels than expected. 2017-12-21 not yet calculated CVE-2017-6167
CONFIRM(link is external)
fortinet -- forticlient
 
An Information Disclosure vulnerability in Fortinet FortiClient for Windows 5.6.0 and below versions, FortiClient for Mac OSX 5.6.0 and below versions and FortiClient SSLVPN Client for Linux 4.4.2334 and below versions allows regular users to see each other's VPN authentication credentials due to improperly secured storage locations. 2017-12-15 not yet calculated CVE-2017-14184
BID(link is external)
CONFIRM(link is external)
fortunescripts.com -- fs_lynda_clone
 
FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/. 2017-12-18 not yet calculated CVE-2017-17643
MISC(link is external)
EXPLOIT-DB(link is external)
foxit -- reader This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the yTsiz member of SIZ markers. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-4977. 2017-12-20 not yet calculated CVE-2017-16589
CONFIRM(link is external)
MISC(link is external)
foxit -- reader This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the value attribute of Field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4980. 2017-12-20 not yet calculated CVE-2017-10958
CONFIRM(link is external)
MISC(link is external)
foxit -- reader This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the author attribute of the Document object. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5282. 2017-12-20 not yet calculated CVE-2017-16581
CONFIRM(link is external)
MISC(link is external)
foxit -- reader This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the removeField method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5296. 2017-12-20 not yet calculated CVE-2017-16587
CONFIRM(link is external)
MISC(link is external)
foxit -- reader This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA's bind element. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5091. 2017-12-20 not yet calculated CVE-2017-16575
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the signer method of XFA's Signature objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-5015. 2017-12-20 not yet calculated CVE-2017-14823
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the tile index member of SOT markers. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-4978. 2017-12-20 not yet calculated CVE-2017-10956
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the setAction method of Link objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4981. 2017-12-20 not yet calculated CVE-2017-10959
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the tile index of the SOT marker in JPEG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5012. 2017-12-20 not yet calculated CVE-2017-14820
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the formNodes method of XFA Node objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5018. 2017-12-20 not yet calculated CVE-2017-14826
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the xOsiz member of SIZ markers. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5014. 2017-12-20 not yet calculated CVE-2017-14822
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of the xTsiz member of SIZ markers. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5013. 2017-12-20 not yet calculated CVE-2017-14821
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG2000 images embedded in PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-4982. 2017-12-20 not yet calculated CVE-2017-14818
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the arrowEnd attribute of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-4979. 2017-12-20 not yet calculated CVE-2017-10957
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of references to the app object from FormCalc. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5072. 2017-12-20 not yet calculated CVE-2017-16571
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the pageSpan method of XFA Layout objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5029. 2017-12-20 not yet calculated CVE-2017-14837
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the clearItems XFA method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5288. 2017-12-20 not yet calculated CVE-2017-16582
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within FormCalc's closeDoc method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5073. 2017-12-20 not yet calculated CVE-2017-16572
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the setFocus method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5022. 2017-12-20 not yet calculated CVE-2017-14830
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the remove method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5017. 2017-12-20 not yet calculated CVE-2017-14825
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the insert method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5016. 2017-12-20 not yet calculated CVE-2017-14824
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the channel number member of the cdef box. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5011. 2017-12-20 not yet calculated CVE-2017-14819
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the append method of XFA Node objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5019. 2017-12-20 not yet calculated CVE-2017-14827
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the w method of XFA Layout objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5020. 2017-12-20 not yet calculated CVE-2017-14828
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the openList method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5021. 2017-12-20 not yet calculated CVE-2017-14829
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the page method of XFA Layout objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5027. 2017-12-20 not yet calculated CVE-2017-14835
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the style attribute of FileAttachment annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5026. 2017-12-20 not yet calculated CVE-2017-14834
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the author attribute of Circle Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5023. 2017-12-20 not yet calculated CVE-2017-14831
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the style attribute of Caret Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5024. 2017-12-20 not yet calculated CVE-2017-14832
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG2000 images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5244. 2017-12-20 not yet calculated CVE-2017-16579
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within util.printf. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5290. 2017-12-20 not yet calculated CVE-2017-16584
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the datasets element of XFA forms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5289. 2017-12-20 not yet calculated CVE-2017-16583
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the addAnnot method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5295. 2017-12-20 not yet calculated CVE-2017-16586
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the app.response method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5294. 2017-12-20 not yet calculated CVE-2017-16585
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the ImageField node of XFA forms. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5281. 2017-12-20 not yet calculated CVE-2017-16580
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within XFA's field element. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5092. 2017-12-20 not yet calculated CVE-2017-16576
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.2.25013. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the picture elements within XFA forms. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5216. 2017-12-20 not yet calculated CVE-2017-16578
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the style attribute of Text Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5025. 2017-12-20 not yet calculated CVE-2017-14833
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the alignment attribute of Field objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5094. 2017-12-20 not yet calculated CVE-2017-16577
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the modDate attribute of Annotation objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5028. 2017-12-20 not yet calculated CVE-2017-14836
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LZWDecode filters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5078. 2017-12-20 not yet calculated CVE-2017-16573
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of Image filters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-5079. 2017-12-20 not yet calculated CVE-2017-16574
CONFIRM(link is external)
MISC(link is external)
foxit -- reader
 
This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SOT markers. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-4976. 2017-12-20 not yet calculated CVE-2017-16588
CONFIRM(link is external)
MISC(link is external)
genexis_b.v. -- genexis_automatic_provisioning_system
 
CPEs used by subscribers on the access network receive their individual configuration settings from a central GAPS instance. A CPE identifies itself by the MAC address of its WAN interface and a certain "chk" value (48bit) derived from the MAC. The algorithm used to compute the "chk" was disclosed by reverse engineering the CPE's firmware. As a result, it is possible to forge valid "chk" values for any given MAC address and therefore receive the configuration settings of other subscribers' CPEs. The configuration settings often contain sensitive values, for example credentials (username/password) for VoIP services. This issue affects Genexis B.V. GAPS up to 7.2. 2017-12-20 not yet calculated CVE-2017-6094
FULLDISC
gimp -- gimp
 
In GIMP 2.8.22, there is a heap-based buffer over-read in ReadImage in plug-ins/common/file-tga.c (related to bgr2rgb.part.1) via an unexpected bits-per-pixel value for an RGBA image. 2017-12-20 not yet calculated CVE-2017-17786
MISC(link is external)
MISC
gimp -- gimp
 
In GIMP 2.8.22, there is a heap-based buffer over-read in read_creator_block in plug-ins/common/file-psp.c. 2017-12-20 not yet calculated CVE-2017-17787
MISC(link is external)
MISC
gimp -- gimp
 
In GIMP 2.8.22, there is a heap-based buffer overflow in the fli_read_brun function in plug-ins/file-fli/fli.c. 2017-12-20 not yet calculated CVE-2017-17785
MISC(link is external)
MISC
gimp -- gimp
 
In GIMP 2.8.22, there is a heap-based buffer over-read in load_image in plug-ins/common/file-gbr.c in the gbr import parser, related to mishandling of UTF-8 data. 2017-12-20 not yet calculated CVE-2017-17784
MISC(link is external)
MISC
gimp -- gimp
 
In GIMP 2.8.22, there is a stack-based buffer over-read in xcf_load_stream in app/xcf/xcf.c when there is no '\0' character after the version string. 2017-12-20 not yet calculated CVE-2017-17788
MISC(link is external)
MISC
gimp -- gimp
 
In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_data in plug-ins/common/file-psp.c. 2017-12-20 not yet calculated CVE-2017-17789
MISC(link is external)
MISC
github -- git_lfs
 
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository. 2017-12-21 not yet calculated CVE-2017-17831
MISC(link is external)
MISC(link is external)
MISC(link is external)
gitlab -- gitlab
 
GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verification, but a verify_certificates LDAP option was mentioned in the 9.4 release announcement. This issue occurred because code was not merged. This is related to use of the omniauth-ldap library and the gitlab_omniauth-ldap gem. 2017-12-17 not yet calculated CVE-2017-17716
MISC(link is external)
MISC(link is external)
MISC(link is external)
gnu -- c_library
 
elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution. 2017-12-17 not yet calculated CVE-2017-16997
CONFIRM
CONFIRM
CONFIRM

golden_frog -- vyprvpn


 
In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the vyprvpnservice launch daemon has an unprotected XPC service that allows attackers to update the underlying OpenVPN configuration and the arguments passed to the OpenVPN binary when executed. An attacker can abuse this vulnerability by forcing the VyprVPN application to load a malicious dynamic library every time a new connection is made. 2017-12-20 not yet calculated CVE-2017-17809
MISC(link is external)
gpweb -- gpweb
 
Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database. 2017-12-18 not yet calculated CVE-2017-15877
MISC(link is external)
gpweb -- gpweb
 
SQL injection vulnerability in Password Recovery in GPWeb 8.4.61 allows remote attackers to execute arbitrary SQL commands via the "checkemail" parameter. 2017-12-18 not yet calculated CVE-2017-15875
MISC(link is external)
gpweb -- gpweb
 
Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote authenticated users to upload any type of file, including a PHP shell. 2017-12-18 not yet calculated CVE-2017-15876
MISC(link is external)
graphicsmagick -- graphicsmagick  In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ReadOneJNGImage in coders/png.c, related to oFFs chunk allocation. 2017-12-20 not yet calculated CVE-2017-17782
CONFIRM
CONFIRM(link is external)
graphicsmagick -- graphicsmagick 
 
In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImage in coders/palm.c when QuantumDepth is 8. 2017-12-20 not yet calculated CVE-2017-17783
CONFIRM
CONFIRM(link is external)
h2o -- h2o
 
H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/2 header. 2017-12-22 not yet calculated CVE-2017-10908
CONFIRM(link is external)
JVN(link is external)
h2o -- h2o
 
H2O version 2.2.2 and earlier allows remote attackers to cause a denial of service in the server via specially crafted HTTP/1 header. 2017-12-22 not yet calculated CVE-2017-10868
CONFIRM(link is external)
JVN(link is external)
h2o -- h2o
 
H2O version 2.2.3 and earlier allows remote attackers to cause a denial of service in the server via unspecified vectors. 2017-12-22 not yet calculated CVE-2017-10872
CONFIRM(link is external)
JVN(link is external)
h2o -- h2o
 
Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to cause a denial-of-service in the server via unspecified vectors. 2017-12-22 not yet calculated CVE-2017-10869
CONFIRM(link is external)
JVN(link is external)
heketi -- heketi
 
A security-check flaw was found in the way the Heketi 5 server API handled user requests. An authenticated Heketi user could send specially crafted requests to the Heketi server, resulting in remote command execution as the user running Heketi server and possibly privilege escalation. 2017-12-18 not yet calculated CVE-2017-15103
REDHAT(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
heketi -- heketi
 
An access flaw was found in Heketi 5, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file. 2017-12-18 not yet calculated CVE-2017-15104
REDHAT(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
horde_project -- groupware
 
In Horde Groupware through 5.2.22, SQL Injection exists via the group parameter to /services/prefs.php or the homePostalCode parameter to /turba/search.php. 2017-12-20 not yet calculated CVE-2017-17781
MISC(link is external)
huawei -- fusionsphere_openstack
 
Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an information leak vulnerability due to the use of a low version transmission protocol by default. An attacker could intercept packets transferred by a target device. Successful exploit could cause an information leak. 2017-12-22 not yet calculated CVE-2017-15321
CONFIRM(link is external)
huawei -- hg8245h
 
Huawei HG8245H version earlier than V300R018C00SPC110 has an authentication bypass vulnerability. An attacker can access a specific URL of the affect product. Due to improper verification of the privilege, successful exploitation may cause information leak. 2017-12-22 not yet calculated CVE-2017-15328
MISC(link is external)
MISC(link is external)
huawei -- honor_8_smartphone
 
Huawei Honor 8 smartphone with software versions earlier than FRD-L04C567B389 and earlier than FRD-L14C567B389 have a permission control vulnerability due to improper authorization configuration on specific device information. 2017-12-22 not yet calculated CVE-2017-15307
CONFIRM(link is external)
huawei -- ireader
 
Huawei iReader app before 8.0.2.301 has an arbitrary file deletion vulnerability due to the lack of input validation. An attacker can exploit this vulnerability to delete specific files from the SD card. 2017-12-22 not yet calculated CVE-2017-15310
CONFIRM(link is external)
huawei -- ireader
 
Huawei iReader app before 8.0.2.301 has a path traversal vulnerability due to insufficient validation on file storage paths. An attacker can exploit this vulnerability to store downloaded malicious files in an arbitrary directory. 2017-12-22 not yet calculated CVE-2017-15309
CONFIRM(link is external)
huawei -- ireader
 
Huawei iReader app before 8.0.2.301 has an input validation vulnerability due to insufficient validation on the URL used for loading network data. An attacker can control app access and load malicious websites created by the attacker, and the code in webpages would be loaded and run. 2017-12-22 not yet calculated CVE-2017-15308
CONFIRM(link is external)
huawei -- mate_9_smartphone
 
The GPU driver of Mate 9 Huawei smart phones with software before MHA-AL00B 8.0.0.334(C00) and Mate 9 Pro Huawei smart phones with software before LON-AL00B 8.0.0.334(C00) has a memory double free vulnerability. An attacker tricks a user into installing a malicious application, and the application can call special API, which triggers double free and causes a system crash or arbitrary code execution. 2017-12-22 not yet calculated CVE-2017-15316
CONFIRM(link is external)
huawei -- multiple_smartphones
 
Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 and BGO-L03C331B009CUSTC331D001 have a DoS vulnerability due to insufficient input validation. An attacker could exploit this vulnerability by sending specially crafted NFC messages to the target device. Successful exploit could make a service crash. 2017-12-22 not yet calculated CVE-2017-15322
CONFIRM(link is external)
huawei -- multiple_products
 
The baseband modules of Mate 10, Mate 10 Pro, Mate 9, Mate 9 Pro Huawei smart phones with software before ALP-AL00 8.0.0.120(SP2C00), before BLA-AL00 8.0.0.120(SP2C00), before MHA-AL00B 8.0.0.334(C00), and before LON-AL00B 8.0.0.334(C00) have a stack overflow vulnerability due to the lack of parameter validation. An attacker could send malicious packets to the smart phones within radio range by special wireless device, which leads stack overflow when the baseband module handles these packets. The attacker could exploit this vulnerability to perform a denial of service attack or remote code execution in baseband module. 2017-12-22 not yet calculated CVE-2017-15311
CONFIRM(link is external)
huawei -- multiple_products
 
RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R006C00; TE40 V500R002C00, V600R006C00; TE50 V500R002C00, V600R006C00; TE60 V100R001C10, V500R002C00, V600R006C00 have an out-of-bounds read vulnerabilities in some Huawei products. Due to insufficient input validation, a remote attacker could exploit these vulnerabilities by sending specially crafted SS7 related packets to the target devices. Successful exploit will cause out-of-bounds read and possibly crash the system. 2017-12-22 not yet calculated CVE-2017-15318
CONFIRM(link is external)
huawei -- multiple_products
 
AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR1200 V200R006C10, V200R006C13, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30; AR1200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR150 V200R006C10, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30; AR150-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR160 V200R006C10, V200R006C12, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30; AR200 V200R006C10, V200R007C00, V200R007C01, V200R008C20, V200R008C30; AR200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR2200 V200R006C10, V200R006C13, V200R006C16, V200R007C00, V200R007C01, V200R007C02, V200R008C20, V200R008C30; AR2200-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR3200 V200R006C10, V200R006C11, V200R007C00, V200R007C01, V200R007C02, V200R008C00, V200R008C10, V200R008C20, V200R008C30; AR510 V200R006C10, V200R006C12, V200R006C13, V200R006C15, V200R006C16, V200R006C17, V200R007C00, V200R008C20, V200R008C30; SRG1300 V200R006C10, V200R007C00, V200R007C02, V200R008C20, V200R008C30; SRG2300 V200R006C10, V200R007C00, V200R007C02, V200R008C20, V200R008C30; SRG3300 V200R006C10, V200R007C00, V200R008C20, V200R008C30 have an input validation vulnerability in Huawei multiple products. Due to the insufficient input validation, an unauthenticated, remote attacker may craft a malformed Stream Control Transmission Protocol (SCTP) packet and send it to the device, causing the device to read out of bounds and restart. 2017-12-22 not yet calculated CVE-2017-15317
CONFIRM(link is external)
huawei -- multiple_products
 
Huawei S12700 V200R006C00, V200R007C00, V200R007C01, V200R007C20, V200R008C00, V200R009C00, V200R010C00; S1700 V200R006C10, V200R009C00, V200R010C00; S2700 V200R006C00, V200R006C10, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00; S5700 V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00; S6700 V200R005C00, V200R008C00, V200R009C00, V200R010C00; S7700 V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C0; S9700 V200R006C00, V200R007C00, V200R007C01, V200R008C00, V200R009C00, V200R010C00 have a DoS vulnerability due to insufficient validation of the Network Quality Analysis (NQA) packets. A remote attacker could exploit this vulnerability by sending malformed NQA packets to the target device. Successful exploitation could make the device restart. 2017-12-22 not yet calculated CVE-2017-15324
CONFIRM(link is external)
huawei -- multiple_products
 
RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R006C00; TE40 V500R002C00, V600R006C00; TE50 V500R002C00, V600R006C00; TE60 V100R001C10, V500R002C00, V600R006C00 have an out-of-bounds read vulnerabilities in some Huawei products. Due to insufficient input validation, a remote attacker could exploit these vulnerabilities by sending specially crafted SS7 related packets to the target devices. Successful exploit will cause out-of-bounds read and possibly crash the system. 2017-12-22 not yet calculated CVE-2017-15319
CONFIRM(link is external)
huawei -- multiple_products
 
RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R006C00; TE40 V500R002C00, V600R006C00; TE50 V500R002C00, V600R006C00; TE60 V100R001C10, V500R002C00, V600R006C00 have an out-of-bounds read vulnerabilities in some Huawei products. Due to insufficient input validation, a remote attacker could exploit these vulnerabilities by sending specially crafted SS7 related packets to the target devices. Successful exploit will cause out-of-bounds read and possibly crash the system. 2017-12-22 not yet calculated CVE-2017-15320
CONFIRM(link is external)
huawei -- smartcare
 
Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) vulnerability in the dashboard module. A remote authenticated attacker could exploit this vulnerability to inject malicious scripts in the affected device. 2017-12-22 not yet calculated CVE-2017-15312
CONFIRM(link is external)
huawei -- smartcare

 
Huawei SmartCare V200R003C10 has a CSV injection vulnerability. An remote authenticated attacker could inject malicious CSV expression to the affected device. 2017-12-22 not yet calculated CVE-2017-15313
CONFIRM(link is external)
ibm -- business_process_manager
 
IBM Business Process Manager 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128692. 2017-12-20 not yet calculated CVE-2017-1494
CONFIRM(link is external)
BID(link is external)
MISC(link is external)
ibm -- integration_bus
 
IBM Integration Bus 9.0 and 10.0 transmits user credentials in plain in clear text which can be read by an attacker using man in the middle techniques. IBM X-Force ID: 134165. 2017-12-20 not yet calculated CVE-2017-1694
CONFIRM(link is external)
MISC(link is external)
ibm -- jazz_for_service_managmeent
 
IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 133140. 2017-12-20 not yet calculated CVE-2017-1631
CONFIRM(link is external)
MISC(link is external)
ibm -- jazz_for_service_managment
 
IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 135519. 2017-12-20 not yet calculated CVE-2017-1746
CONFIRM(link is external)
MISC(link is external)
ibm -- qradar
 
IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 134178. 2017-12-20 not yet calculated CVE-2017-1696
CONFIRM(link is external)
MISC(link is external)
ibm -- robotic_process_automation
 
IBM Robotic Process Automation with Automation Anywhere 10.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 135546. 2017-12-20 not yet calculated CVE-2017-1751
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium
 
IBM Security Guardium 10.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 135858. 2017-12-20 not yet calculated CVE-2017-1757
CONFIRM(link is external)
MISC(link is external)
ibm -- websphere_portal
 
IBM WebSphere Portal 8.5 and 9.0 exposes backend server URLs that are configured for usage by the Web Application Bridge component. IBM X-Force ID: 127476. 2017-12-20 not yet calculated CVE-2017-1423
SECTRACK(link is external)
MISC(link is external)
CONFIRM(link is external)
ibm -- security_guardium IBM Security Guardium 10.0 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 124741. 2017-12-20 not yet calculated CVE-2017-1266
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 124745. 2017-12-20 not yet calculated CVE-2017-1270
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium IBM Security Guardium 10.0 Database Activity Monitor could allow a local attacker to obtain highly sensitive information via unspecified vectors. IBM X-Force ID: 132550. 2017-12-20 not yet calculated CVE-2017-1596
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium
 
IBM Security Guardium 10.0 Database Activity Monitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132613. 2017-12-20 not yet calculated CVE-2017-1600
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium
 
IBM Security Guardium 10.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 124736. 2017-12-20 not yet calculated CVE-2017-1261
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium
 
IBM Security Guardium 10.0 Database Activity Monitor uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 132611. 2017-12-20 not yet calculated CVE-2017-1598
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium
 
IBM Security Guardium 10.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 124737. 2017-12-20 not yet calculated CVE-2017-1262
CONFIRM(link is external)
MISC(link is external)
ibm -- security_guardium
 
IBM Security Guardium 10.0 Database Activity Monitor could allow a local attacker to obtain highly sensitive information via unspecified vectors. IBM X-Force ID: 132549. 2017-12-20 not yet calculated CVE-2017-1595
CONFIRM