- 2018 트렌드는 p14부터 소개됩니다.

 

 

 

 

 

 

1. AR Gets Real

2. The End of Typing

3. The Tragedy fo the Commons in Influencer Marketing

4. The Amazon Awakening

5. Seriously Serious

   - Privacy, Data Security, GDPR & Government-Backed Attacks

Posted by manga0713

 

 

 

Posted by manga0713

 

 

 

 

 

 

 

 

 

 

*** 출처: [하나금융경영연구소] 2018년 산업별 전망

*** 문서:

2018 산업전망.pdf

 

 

 

 

■ 목차

 

I. 산업별 기상도 및 경기 사이클

II. Bird's Eye View

III. 주요 산업별 경기 전망

IV. 이슈 분석

V. 주요 산업 중장기 경기 사이클

 

Posted by manga0713

 

 

 

*** 출처: [US-CERT: Bulletin(SB18-001)] 2017년 12월 25일까지 발표된 보안 취약점

 

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOSurface" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13861
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13862
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13867
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13876
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "IOKit" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-27 9.3 CVE-2017-7162
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. The issue involves the "IOKit" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13847
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 11.2 is affected. The issue involves the "IOMobileFrameBuffer" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13879
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "IOKit" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. 2017-12-25 9.3 CVE-2017-13848
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "IOKit" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. 2017-12-25 9.3 CVE-2017-13858
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (out-of-bounds read) via a crafted app. 2017-12-25 9.3 CVE-2017-13875
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-25 9.3 CVE-2017-13883
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-27 9.3 CVE-2017-7155
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "IOAcceleratorFamily" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-27 9.3 CVE-2017-7159
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-12-27 9.3 CVE-2017-7163
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service (ReadOneMNGImage large loop) via a crafted mng image file. 2017-12-27 7.1 CVE-2017-17914
CONFIRM(link is external)
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app that triggers type confusion. 2017-12-25 4.3 CVE-2017-13855
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-12-25 6.8 CVE-2017-13856
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. 2017-12-25 4.3 CVE-2017-13865
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-12-25 6.8 CVE-2017-13866
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. 2017-12-25 4.3 CVE-2017-13868
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. 2017-12-25 4.3 CVE-2017-13869
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-12-25 6.8 CVE-2017-13870
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2.1 is affected. tvOS before 11.2.1 is affected. The issue involves the "HomeKit" component. It allows remote attackers to modify the application state by leveraging incorrect message handling, as demonstrated by use of an Apple Watch to obtain an encryption key and unlock a door. 2017-12-25 5.0 CVE-2017-13903
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
MISC(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. The issue involves the "Kernel" component. It allows local users to bypass intended memory-read restrictions or cause a denial of service (system crash). 2017-12-27 5.6 CVE-2017-7154
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-12-27 6.8 CVE-2017-7156
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-12-27 6.8 CVE-2017-7157
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. tvOS before 11.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-12-27 6.8 CVE-2017-7160
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- icloud An issue was discovered in certain Apple products. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected. The issue involves the "APNs Server" component. It allows man-in-the-middle attackers to track users by leveraging mishandling of client certificates. 2017-12-25 4.3 CVE-2017-13864
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. The issue involves the "Mail Drafts" component. It allows man-in-the-middle attackers to read e-mail content by leveraging mishandling of S/MIME credential encryption. 2017-12-25 4.3 CVE-2017-13860
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 11.2 is affected. The issue involves the "Mail" component. It might allow remote attackers to bypass an intended encryption protection mechanism by leveraging incorrect S/MIME certificate selection. 2017-12-25 5.0 CVE-2017-13874
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 11.2 is affected. The issue involves the "Mail Message Framework" component. It allows remote attackers to spoof the address bar via a crafted web site. 2017-12-27 4.3 CVE-2017-7152
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Mail" component. It allows remote attackers to read cleartext e-mail content (for which S/MIME encryption was intended) by leveraging the lack of installation of an S/MIME certificate by the recipient. 2017-12-25 5.0 CVE-2017-13871
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows local users to bypass intended memory-read restrictions or cause a denial of service (out-of-bounds read and system crash). 2017-12-25 5.6 CVE-2017-13878
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Screen Sharing Server" component. It allows attackers to obtain root privileges for reading files by leveraging screen-sharing access. 2017-12-27 6.8 CVE-2017-7158
CONFIRM(link is external)
graphicsmagick -- graphicsmagick In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region. 2017-12-27 6.8 CVE-2017-17912
CONFIRM
CONFIRM(link is external)
graphicsmagick -- graphicsmagick In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to an incompatibility with libwebp versions, 0.5.0 and later, that use a different structure type. 2017-12-27 6.8 CVE-2017-17913
CONFIRM
CONFIRM(link is external)
graphicsmagick -- graphicsmagick In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadMNGImage in coders/png.c, related to accessing one byte before testing whether a limit has been reached. 2017-12-27 6.8 CVE-2017-17915
CONFIRM
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based buffer over-read in ReadOneMNGImage in coders/png.c, related to length calculation and caused by an off-by-one error. 2017-12-27 6.8 CVE-2017-17879
BID(link is external)
CONFIRM(link is external)
DEBIAN
imagemagick -- imagemagick In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to a WEBP_DECODER_ABI_VERSION check. 2017-12-27 6.8 CVE-2017-17880
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted MAT image file. 2017-12-27 4.3 CVE-2017-17881
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadXPMImage in coders/xpm.c, which allows attackers to cause a denial of service via a crafted XPM image file. 2017-12-27 4.3 CVE-2017-17882
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadPGXImage in coders/pgx.c, which allows attackers to cause a denial of service via a crafted PGX image file. 2017-12-27 4.3 CVE-2017-17883
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function WriteOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted PNG image file. 2017-12-27 4.3 CVE-2017-17884
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadPICTImage in coders/pict.c, which allows attackers to cause a denial of service via a crafted PICT image file. 2017-12-27 4.3 CVE-2017-17885
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a denial of service via a crafted psd image file. 2017-12-27 4.3 CVE-2017-17886
CONFIRM(link is external)
imagemagick -- imagemagick In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function GetImagePixelCache in magick/cache.c, which allows attackers to cause a denial of service via a crafted MNG image file that is processed by ReadOneMNGImage. 2017-12-27 4.3 CVE-2017-17887
CONFIRM(link is external)
imagemagick -- imagemagick ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, related to MSLPopImage and ProcessMSLScript, and associated with mishandling of MSLPushImage calls. 2017-12-27 5.0 CVE-2017-17934
CONFIRM(link is external)
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
2daybiz.com -- readymade_job_site_script
 
Readymade Job Site Script has SQL Injection via the location_name array parameter to the /job URI. 2017-12-27 not yet calculated CVE-2017-17895
MISC(link is external)
2daybiz.com -- readymade_job_site_script
 
Readymade Job Site Script has CSRF via the /job URI. 2017-12-27 not yet calculated CVE-2017-17894
MISC(link is external)
2daybiz.com -- readymade_job_site_script
 
Readymade Job Site Script has XSS via the keyword parameter to the /job URI. 2017-12-27 not yet calculated CVE-2017-17896
MISC(link is external)
airlive -- multiple_products
 
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests. 2017-12-27 not yet calculated CVE-2014-8389
MISC(link is external)
FULLDISC
BUGTRAQ(link is external)
BID(link is external)
MISC(link is external)
allmediaserver -- allplayer
 
A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 888. 2017-12-28 not yet calculated CVE-2017-17932
EXPLOIT-DB(link is external)
anti-web -- anti-web
 
cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS, Ouman EH-net, Alliance System WS100 --> AWU 500, Sauter ERW100F001, Carlo Gavazzi SIU-DLG, AEDILIS SMART-1, SYXTHSENSE WebBiter, ABB SREA, and ASCON DY WebServer devices, allows remote authenticated users to execute arbitrary OS commands via crafted multipart/form-data content, a different vulnerability than CVE-2017-9097. 2017-12-27 not yet calculated CVE-2017-17888
MISC(link is external)
MISC
MISC(link is external)
apache -- flexblaze_ds
 
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution. 2017-12-28 not yet calculated CVE-2017-5641
MLIST
BID(link is external)
SECTRACK(link is external)
CONFIRM
CERT-VN
archon -- archon
 
packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?p=core/contact request, aka Open Bug Bounty ID OBB-278503. 2017-12-27 not yet calculated CVE-2017-17911
MISC
artifex -- mupdf
 
pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain length changes when a repair operation occurs during a clean operation, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted PDF document. 2017-12-27 not yet calculated CVE-2017-17866
CONFIRM(link is external)
CONFIRM(link is external)
asterisk -- asterisk
 
An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point. 2017-12-27 not yet calculated CVE-2017-17850
CONFIRM
SECTRACK(link is external)
CONFIRM
auth0/passport-wsfed-saml2_library -- auth0/passport-wsfed-saml2_library
 
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response). 2017-12-27 not yet calculated CVE-2017-16897
CONFIRM(link is external)
ba_systems -- bas_web
 
BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx, as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account. 2017-12-29 not yet calculated CVE-2017-17974
MISC(link is external)
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request. 2017-12-29 not yet calculated CVE-2017-17995
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System has XSS via the amount parameter in an index.php?user=addition_deduction request. 2017-12-29 not yet calculated CVE-2017-17993
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action. 2017-12-29 not yet calculated CVE-2017-17990
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request. 2017-12-29 not yet calculated CVE-2017-17991
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action. 2017-12-29 not yet calculated CVE-2017-17989
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System allows Arbitrary File Download via directory traversal sequences in the index.php form_file_name parameter in a download_form action. 2017-12-29 not yet calculated CVE-2017-17992
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request. 2017-12-29 not yet calculated CVE-2017-17994
MISC(link is external)
biometric_shift_employee_management_system -- biometric_shift_employee_management_system 
 
Biometric Shift Employee Management System 3.0 allows remote attackers to bypass intended file-read restrictions via a user=download request with a pathname in the path parameter. 2017-12-27 not yet calculated CVE-2017-17876
EXPLOIT-DB(link is external)
cells -- cells_blog
 
Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter. 2017-12-28 not yet calculated CVE-2017-17950
MISC(link is external)
cells -- cells_blog
 
Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter. 2017-12-28 not yet calculated CVE-2017-17949
MISC(link is external)
cells -- cells_blog
 
Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic request. 2017-12-28 not yet calculated CVE-2017-17948
MISC(link is external)
dolibarr -- erp/crm
 
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. 2017-12-27 not yet calculated CVE-2017-17900
CONFIRM(link is external)
dolibarr -- erp/crm
 
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information. 2017-12-27 not yet calculated CVE-2017-17898
CONFIRM(link is external)
CONFIRM(link is external)
dolibarr -- erp/crm
 
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. 2017-12-27 not yet calculated CVE-2017-17899
CONFIRM(link is external)
dolibarr -- erp/crm
 
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. 2017-12-27 not yet calculated CVE-2017-17897
CONFIRM(link is external)
dolibarr -- erp/crm
 
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS. 2017-12-29 not yet calculated CVE-2017-17971
MISC(link is external)
dozer -- dozer
 
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. 2017-12-29 not yet calculated CVE-2014-9515
CONFIRM(link is external)
MISC(link is external)
MISC
enigmail -- enigmail 
 
An issue was discovered in Enigmail before 1.9.9. Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp), aka TBE-01-001. 2017-12-27 not yet calculated CVE-2017-17845
MISC(link is external)
MISC
DEBIAN
MISC(link is external)
enigmail -- enigmail 
 
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002. 2017-12-27 not yet calculated CVE-2017-17843
MISC(link is external)
MISC
DEBIAN
MISC(link is external)
enigmail -- enigmail 
 
An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachment that is a signed e-mail message in message/rfc822 format. 2017-12-27 not yet calculated CVE-2017-17847
MISC(link is external)
MISC
MISC(link is external)
DEBIAN
MISC(link is external)
enigmail -- enigmail 
 
An issue was discovered in Enigmail before 1.9.9. In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed. In other words, the entire containing message appears to be signed, but the recipient does not see any of the signed text. 2017-12-27 not yet calculated CVE-2017-17848
MISC
MISC(link is external)
DEBIAN
enigmail -- enigmail 
 
An issue was discovered in Enigmail before 1.9.9. Regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings, aka TBE-01-003. 2017-12-27 not yet calculated CVE-2017-17846
MISC(link is external)
MISC
DEBIAN
MISC(link is external)
enigmail -- enigmail 
 
An issue was discovered in Enigmail before 1.9.9. A remote attacker can obtain cleartext content by sending an encrypted data block (that the attacker cannot directly decrypt) to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text, aka the TBE-01-005 "replay" issue. 2017-12-27 not yet calculated CVE-2017-17844
MISC(link is external)
MISC
DEBIAN
MISC(link is external)
ffmpeg -- ffmpeg
 
The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file. 2017-12-27 not yet calculated CVE-2017-9608
MLIST(link is external)
MLIST(link is external)
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
DEBIAN
flexsense -- sysguage_server
 
In Flexense SysGauge Server 3.6.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221. 2017-12-28 not yet calculated CVE-2017-15667
EXPLOIT-DB(link is external)
fortunescripts.com -- fs_lynda_clone
 
FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel. 2017-12-27 not yet calculated CVE-2017-17903
MISC(link is external)
fortunescripts.com -- fs_lynda_clone
 
FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the edit_profile_first_name parameter to user/edit_profile. 2017-12-27 not yet calculated CVE-2017-17904
MISC(link is external)
getgo_software -- getgo_download_manager
 
A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. 2017-12-27 not yet calculated CVE-2017-17849
MISC(link is external)
EXPLOIT-DB(link is external)
google -- play
 
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data. 2017-12-29 not yet calculated CVE-2014-3630
CONFIRM(link is external)
CONFIRM(link is external)
MISC
CONFIRM(link is external)
hoermann -- bisecur_devices
 
On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur transmitter and a receiver to obtain the encrypted packet and the 32-bit serial number. The interception of the one-time pairing process is specifically not required. Due to use of AES-128 with an initial static random value and static data vector (all of this static information is the same across different customers' installations), the attacker can easily derive the utilized encryption key and decrypt the intercepted packet. The key can be verified by decrypting the intercepted packet and checking for known plaintext. Subsequently, an attacker can create arbitrary radio frames with the correct encryption key to control BiSecur garage and entrance gate operators and possibly other BiSecur systems as well ("wireless cloning"). To conduct the attack, a low cost Software Defined Radio (SDR) is sufficient. This affects Hoermann Hand Transmitter HS5-868-BS, HSE1-868-BS, and HSE2-868-BS devices. 2017-12-29 not yet calculated CVE-2017-17910
MISC(link is external)
MISC(link is external)
ibm -- rational_collaborative_lifecycle_managment
 
An undisclosed vulnerability in CLM applications (including IBM Rational Collaborative Lifecycle Management 4.0, 5.0, and 6.0) with potential for failure to restrict URL Access. IBM X-Force ID: 123661. 2017-12-27 not yet calculated CVE-2017-1191
CONFIRM(link is external)
MISC(link is external)
ibm -- team_concert
 
IBM Team Concert (RTC including IBM Rational Collaborative Lifecycle Management 4.0, 5.0., and 6.0) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 126858. 2017-12-27 not yet calculated CVE-2017-1365
CONFIRM(link is external)
MISC(link is external)
ibm -- websphere_portal
 
IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could reveal sensitive information from an error message that could lead to further attacks against the system. IBM X-Force ID: 124390. 2017-12-27 not yet calculated CVE-2017-1698
CONFIRM(link is external)
BID(link is external)
SECTRACK(link is external)
MISC(link is external)
jboss -- keycloak
 
JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. 2017-12-29 not yet calculated CVE-2014-3651
CONFIRM(link is external)
CONFIRM
joomla! -- joomla!
 
The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action. 2017-12-27 not yet calculated CVE-2017-17875
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter. 2017-12-27 not yet calculated CVE-2017-17871
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the appid parameter in an entriessearch action. 2017-12-27 not yet calculated CVE-2017-17870
MISC
EXPLOIT-DB(link is external)
joomla! -- joomla!
 
Multiple cross-site scripting (XSS) vulnerabilities in helpers/comment.php in the StackIdeas Komento (com_komento) component before 2.0.5 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) img or (2) url tag of a new comment. 2017-12-27 not yet calculated CVE-2015-7324
FULLDISC
CONFIRM(link is external)
MISC(link is external)
joomla! -- joomla!
 
The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action. 2017-12-27 not yet calculated CVE-2017-17872
EXPLOIT-DB(link is external)
kingsoft -- wps_office
 
pptreader.dll in Kingsoft WPS Office 10.1.0.6930 allows remote attackers to cause a denial of service via a crafted PPT file, aka CNVD-2017-35482. 2017-12-28 not yet calculated CVE-2017-17967
MISC
libtiff -- libtiff
 
In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c. 2017-12-28 not yet calculated CVE-2017-17942
MISC
BID(link is external)
libtiff -- libtiff
 
In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. 2017-12-29 not yet calculated CVE-2017-17973
MISC
liferay -- liferay_portal
 
In Liferay Portal 6.1.0, the tags section has XSS via a Public Render Parameter (p_r_p) value, as demonstrated by p_r_p_564233524_tag. 2017-12-27 not yet calculated CVE-2017-17868
MISC(link is external)
linux -- linux_kernel kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect BPF_RSH signed bounds calculations. 2017-12-27 not yet calculated CVE-2017-17853
MISC
MISC(link is external)
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service. 2017-12-27 not yet calculated CVE-2017-17862
MISC
SECTRACK(link is external)
MISC
MISC(link is external)
DEBIAN
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic. 2017-12-27 not yet calculated CVE-2017-17854
MISC
MISC(link is external)
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the lack of stack-pointer alignment enforcement. 2017-12-27 not yet calculated CVE-2017-17856
MISC
MISC(link is external)
MISC(link is external)
linux -- linux_kernel
 
The check_stack_boundary function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of invalid variable stack read operations. 2017-12-27 not yet calculated CVE-2017-17857
MISC
MISC(link is external)
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging improper use of pointers in place of scalars. 2017-12-27 not yet calculated CVE-2017-17855
MISC
MISC(link is external)
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging mishandling of 32-bit ALU ops. 2017-12-27 not yet calculated CVE-2017-17852
MISC
MISC(link is external)
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does not check the relationship between pointer values and the BPF stack, which allows local users to cause a denial of service (integer overflow or invalid memory access) or possibly have unspecified other impact. 2017-12-27 not yet calculated CVE-2017-17863
SECTRACK(link is external)
MISC
DEBIAN
MISC(link is external)
linux -- linux_kernel
 
Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and free this data structure. 2017-12-29 not yet calculated CVE-2017-17975
MISC
linux -- linux_kernel
 
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension. 2017-12-27 not yet calculated CVE-2017-16995
MISC
MISC(link is external)
BID(link is external)
MISC
MISC(link is external)
DEBIAN
linux -- linux_kernel
 
The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set. 2017-12-29 not yet calculated CVE-2016-3695
CONFIRM(link is external)
CONFIRM(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling. 2017-12-27 not yet calculated CVE-2017-16996
MISC
MISC(link is external)
BID(link is external)
MISC
MISC(link is external)
linux -- linux_kernel
 
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a "pointer leak." 2017-12-27 not yet calculated CVE-2017-17864
SECTRACK(link is external)
MISC
MISC
DEBIAN
magento -- magento
 
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503. 2017-12-30 not yet calculated CVE-2016-10704
CONFIRM(link is external)
mediawiki -- mediawiki
 
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token. 2017-12-29 not yet calculated CVE-2015-8008
FEDORA
FEDORA
FEDORA
MLIST(link is external)
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
MLIST
CONFIRM
mistune -- mistune
 
Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape the "key" argument. 2017-12-29 not yet calculated CVE-2017-16876
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
FEDORA
mozilla -- network_security_services
 
Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. 2017-12-27 not yet calculated CVE-2017-11696
MISC(link is external)
FULLDISC
MISC(link is external)
BID(link is external)
SECTRACK(link is external)
mozilla -- network_security_services
 
Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. 2017-12-27 not yet calculated CVE-2017-11698
MISC(link is external)
FULLDISC
MISC(link is external)
BID(link is external)
SECTRACK(link is external)
mozilla -- network_security_services
 
The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file. 2017-12-27 not yet calculated CVE-2017-11697
MISC(link is external)
FULLDISC
MISC(link is external)
BID(link is external)
SECTRACK(link is external)
mozilla -- network_security_services
 
Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. 2017-12-27 not yet calculated CVE-2017-11695
MISC(link is external)
FULLDISC
MISC(link is external)
BID(link is external)
SECTRACK(link is external)
mqtt.js -- mqtt.js
 
MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may lead to an attacker causing a denial-of-service condition. 2017-12-27 not yet calculated CVE-2017-10910
MISC(link is external)
MISC(link is external)
JVN(link is external)
nettransport_download_manager -- nettransport_download_manager 
 
A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP response. 2017-12-29 not yet calculated CVE-2017-17968
EXPLOIT-DB(link is external)
netwin -- surgeftp
 
cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or 9021) in NetWin SurgeFTP version 23f2 has XSS via the classid, domainid, or username parameter. 2017-12-29 not yet calculated CVE-2017-17933
MISC(link is external)
open-iscsi -- open-iscsi
 
An issue was discovered in Open-iSCSI through 2.0.875. A local attacker can cause the iscsiuio server to abort or potentially execute code by sending messages with incorrect lengths, which (due to lack of checking) can lead to buffer overflows, and result in aborts (with overflow checking enabled) or code execution. The process_iscsid_broadcast function in iscsiuio/src/unix/iscsid_ipc.c does not validate the payload length before a write operation. 2017-12-27 not yet calculated CVE-2017-17840
MISC(link is external)
MISC
opencv -- opencv
 
OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData function in grfmt_pxm.cpp, because an incorrect size value is used. 2017-12-29 not yet calculated CVE-2017-17760
MISC(link is external)
MISC(link is external)
oracle -- jarsigner
 
jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation. 2017-12-29 not yet calculated CVE-2013-