[단계별 블록체인 제공 가치]

 

 

 

*** 출처: [iitp] 블록체인을 활용한 효율성 향상 적용 사례 - 유성민

*** 문서:

file3436627543252818522-183402.pdf

 

 

 

 

I. 서론

 

 

- 비트코인 때문에 블록체인을 '위변조 방지' 기술로만 오해하는 경우가 있으나 이는 큰 오해이다. 블록체인의 근본적인 가치는 '공유'라고 할 수 있으며 이를 기반으로 '효율성'이라는 가치로 이어지고 있다.

 

 

 

II. 블록체인 플랫폼 분석

 

1. 블록체인 계층

2. 블록체인 유형

3. 블록체인 제공 가치

 

 

 

III. 블록체인 적용으로 인한 효율성 향상 사례

 

 

1. 중개기관 간소화로 인한 효율성 향상 사례

 

① 개인간 전력 거래

 

- 2016년 4월 미국 브루클린 지역의 '트랜젝티브그리드(TransactiveGrid)'와 'LO3 에너지' 합작으로 태양광으로 생산한 전력을 개인 간에 사고 팔 수 있게 했다.

 

 

② 음반 산업

 

- 2015년 10월 미국 유명 가수인 이모겐 힙(Imogen Heap)은 블록체인 기반으로 음원을 판매했다.

 

 

③ 금융 분야

 

- 2017년 2월 설립된 EEA(Enterprise Etereum Alliance)의 첫 목표는 블록체인을 적용하는 중개기관을 거치지 않고 환전 하는 것이다.

 

- 2015년 11월 골드만삭스는 증권 거래 시간을 줄이기 위해 블록체인 기반의 증권 거래 시스템 개발

 

 

 

2. 병렬처리로 인한 효율성 향상 사례

 

① 자전거 도난 사고 대응

 

- 네덜란드 자동차 등록청 'RDW', 2016년 6월, 블록체인을 활용한 자전거 도난 사고 시스템 실증 완료. 자전거 도난 사고 신고가 관련 기관에 동시에 전달되는 시스템

 

 

② 토지대장 등록

 

- 스웨덴, 2016년 6월, 토지 대장 등록 시스템에 블록체인 적용 개발 가능성 테스트 완료. 관련 기관이 동시에 토지 대장 등록 관련 업무를 처리하게 할 계획

 

 

③ 전자문서 공유

 

- 두바이는 도시 내에 블록체인 적용을 위해 2016년 2월 '글로벌 블록체인 의회(Global Blockchain Council)'를 설립

 

 

④ 식품이력 관리

 

- 2016년 11월, 월마트와 중국 칭화대, IBM은 음식 이력을 블록체인으로 추적할 수 있는 시스템 개발

Posted by manga0713

[https://chicisimo.com/]

 

 

 

 

*** 출처: [iitp] 기계학습 기반 패션 스타일 추천 서비스 '치키시모 Chicisimo

*** 문서:

file4034393044442436117-183404.pdf

 

 

 

 

■ 치키시모 Chicisimo

 

 

- 2010년 미국에서 설립, 처음에는 블로그로 시작, 이후 앱으로 출시, 2018년 초 현재 약 400만 명의 이용자

 

- 인공지능의 패션, 코디 제안은 우선 '스타일'과 '멋'을 이해시키는 것으로부터 시작해야 함

 

- 치키시모 개발팀은 음악 분야 등에서 '멋'을 주제로 한 프로젝트에 기계학습 도입 경험이 있음

 

- 컴퓨터가 '멋'을 이해하면 보다 관련성 있고 의미 있는 콘텐츠를 제공할 수 있어 '온라인 패션'이 크게 바뀔 것이라고 생각했다 함

 

- 개발팀이 가장 주력한 것은 기계학습을 위해 올바른 '데이터 세트'를 만드는 것이었으며 이를 토대로 '모바일 앱'과 '데이터 플랫폼'이라는 핵심 자산을 개발하였음

 

- 과거의 앱 개발 경험을 통해 사람들에게 앱을 사용해 보게 하는 것은 쉽지만 "계속 사용하도록 붙잡아 두는 것(retention)"은 매우 어렵다는 것을 배웠으며, 문제 해결을 위해 단순한 기능의 반복에 초점을 맞춰 이용자가 가능한 빨리 배울 수 있게 하였음

 

 

 

■ 치키시모는 사람들이 '잔류(retention)'를 결정하는 진짜 이유가 무엇인지, 콘텐츠와 사람을 매치하는 데 필요한 알고리즘이 무엇인지를 이해하는 데 오랜 시간을 투자했다고 함

 

① "행동학적 코호트(behavioral cohorts)'를 이용하여 잔류를 높이는 요소를 발견 함

 

- "코호트"는 통계적으로 동일한 특성이나 행동 양식을 공유하는 집단을 의미하며, 개발팀은 사용자가 "어떤 행동을 했는가" 뿐만 아니라 "어떤 가치를 느꼈는가"에 대해서도 믹스패널(Mixpanel)을 이용하여 코호트 분석을 실행하였음

 

- 측정 가능한 가치를 찾아내기 위해 분석-테스트-개선의 과정을 반복하고 잔류에 악영향을 미치는 요소들도 식별하여 제거해 나갔다고 함

 

 

② "온보딩 프로세스(on-boarding process)"를 새롭게 사고 함

 

- 온보딩 프로세스는 새롭게 조직에 합류한 사람들이 잘 적응할 수 있도록 지원하는 여러 프로그램을 말하며, 치키시모는 "신규 회원이 가능한 빨리 앱의 가치를 발견하도록 하여 고객을 잃어버리지 않게 해주는" 프로세스로 재정의 함

 

 

 

■ 치키시모 개발의 2단계는 사람들의 패션 욕구를 학습하는 데이터 플랫폼을 구축하는 것으로, 사람들의 취향을 이해하여 더 나은 코디 제안을 하는 것이 목표 임

 

- 치키시모의 콘텐츠는 100% 모두 사용자들이 생성한 것(UCC)이어서 몇 가지 문제점을 낳게 되는데, 시스템은 다양한 유형의 콘텐츠를 자동으로 분류할 수 있어야 하며, 적절한 인센티브를 구성해야 하고, 콘텐츠와 욕구의 매칭 방법을 이해해야 함

 

- 자신들이 '소셜 패션 그래프(Social Fashion Graph)'라 부르는 도구의 개발을 완료함으로써 양질의 데이터 세트를 만들어 낼 수 있게 되었음

 

- 이 도구로 생성된 그래프는 '욕구 · 옷 입기 · 사람"이라는 세 요소가 어떻게 상호 관련성을 갖는지 간결하게 시각화 해주는 것으로, 치키시모의 데이터 플랫폼을 구축하는 데 도움을 주었으며 양질의 데이터 세트를 만들어 앱을 학습시키는 데도 도움을 주었다고 함

 

 

 

■ 옷의 코디는 "음악의 재생 목록"과 같은 것으로, 여러 옷가지가 함께 소비되었을 때 의미를 갖게 되는 "패션 상품들의 조합"

 

- 소셜 패션 그래프를 적용해도 여전히 데이터 노이즈가 존재하는 데, 사람들은 동일한 욕구를 여러가지 방식으로 표현하기도 하고 반대로 서로 다른 옷 입기 방식이지만 근본 욕구는 같은 경우도 있으며, 이 때문에 콘텐츠와 욕구의 연결은 더욱 어려운 일이 됨

 

- 치키시모는 코디 컨셉을 수집하고, 여러 다양한 방식 중에 가치가 동일한 것들을 찾아내어 동일한 욕구를 다양하게 표현해 줄 수 있는 시스템을 구축함으로써 다양성을 구현하는 가운데서 구조화를 달성하였음

 

- 이런 과정을 거쳐 치키시모는 "오늘 뭐 입지"라는 욕구에 발생하는 상황을 목록화 하였으며, 이를 토대로 데이터 세트를 튜닝 함

 

 

[치키시모 앱을 이용한 패션 코디 추천 받기]

 

Posted by manga0713

[인공지능 기술의 3단계]

 

 

 

 

*** 출처: [nipa] 인공지능 기술의 개념과 최신 동향 - AI 기술을 적용한 3가지 사례 - 이형민 비전컴퍼니 대표

*** 문서:

인공지능 기술의 개념과 최신 동향 AI 기술을 적용한 3가지 사례.pdf

 

 

 

 

1. 인공지능 로봇 ‘소피아(Sophia)’

 

- 홍콩의 휴머노이드 로봇 전문 스타트업 ‘핸슨 로보틱스(Hanson Robotics)’가 개발

 

- 실리콘과 플러버로 피부를 만들어 색소와 반점, 목주름까지 매우 섬세해 멀리서 보면 사람과 거의 흡사

 

- 사람처럼 60가지나 되는 감정을 느끼고 표현

 

- 사우디아라비아 정부로부터 정식 시민권을 받음

 

- 2017 미래 투자 이니셔티브 행사에 연사로 초대되어 사회자와 토론을 벌임. 단순하고 일상적인 대화 수준을 넘어 매우 뛰어난 지적 수준을 보여줌

 

 

 

2. 인공지능 식료품점 ‘아마존 고’

 

- ‘저스트 워크아웃 테크놀로지(Just Walk Out Technology)’를 매장에 적용

 

- 저스트 워크아웃 테크놀로지는 고객이 쇼핑하는 동안 자율주행 센서가 부착된 원형 카메라가 쇼핑객의 동선을 따라다니며 진열대의 상품을 집어 들거나 내려놓는 행위를 정확히 인식해 반영하는 기술

 

 

 

3. 인공지능 베스트셀러 출판사 ‘인키트’

 

 

 

 

 

[https://www.inkitt.com/]

 

 

 

- 지금까지 총 24권을 출간해 이 중 22권이 현재 아마존에서 분야별 20~50위의 베스트셀러로 등극한 출판사

 

- 베스트셀러 등록률이 무려 91.7%

 

- 사람이 해오던 편집자의 역할을 인공지능과 독자에게 맡김. 편집자의 주관적인 판단을 제거하고 객관적인 인공지능 솔루션과 독자들의 판단에 맡겨 오류를 없앤 것

 

- 유명하든 유명하지 않든 상관없이 누구나 인키트 플랫폼에 장르나 형식에 구애받지 않고 스토리를 올릴 수 있음. 현재 인키트에 등록된 저자는 4만 명, 연재가 끝났거나 진행 중인 스토리가 15만 개나 됨

 

- 독자는 선호하는 장르를 선택하면 다양한 스토리들을 추천받을 수 있으며, 스토리를 읽은 후에는 구성, 문체, 문법, 전반적인 느낌 등에 대해 별점을 매길 수 있음. 이 후 인공지능은 독자들의 반응을 분석해 베스트셀러 가능 여부를 판단함. 독자들이 해당 스토리를 얼마나, 얼마 동안 읽었는지 그리고 얼마나 몰입했는지, 재접속 해서 다시 계속 읽었는지 등을 종합적으로 분석함

 

- 이렇게 해서 책이 만들어지면 AI는 독자 데이터를 바탕으로 목표 타깃을 선별하고 출판사가 마케팅을 진행

 

- e북과 종이책 두 가지로 제작되며 저자에게 돌아가는 인세는 e북은 25%, 종이책은 51% 임

Posted by manga0713

[데이터 기반 산업 활성화를 위한 4대 공공 정책 분야]

 

 

 

 

*** 출처: [NIA] 데이터 기반 산업 활성화를 위한 4대 공공 정책 분석 - 구민영 교수

*** 문서:

20180205_IF-데이터_기반_산업_활성화를_위한_4대_공공_정책_분석.pdf

 

 

 

 

I. 산업의 중심이 되어 가는 데이터

 

 

■ 다양한 데이터의 대량 발생 시대

 

 

■ 데이터는 기업의 경쟁력을 좌우하고 경제 흐름에 영향을 미칠 정도로 산업의 중심으로 부각

 

 

 

 

II. 데이터 생태계와 주요 공공정책

 

 

1. 데이터 생애주기와 데이터 생태계

 

 

■ 데이터 생애주기 5단계

 

- 데이터 수집, 저장, 처리, 분석, 이용 등의 데이터 획득에서 폐기까지 발생하는 모든 활동

 

 

① 획득: 창조적 생산, 수집, 거래 및 무상 공유, 기존 데이터의 가공 등을 통해 데이터를 획득

 

- 데이터 획득 방법과 예

 

 

 

 

 

② 저장, 처리 및 융합: 목적에 맞는 활용을 위해 저장, 수정, 삭제, 보완 등의 처리 과정이나 융합 과정을 거침

 

 

③ 분석 및 이용: 목적에 부합하는 결과를 도출하기 위해 데이터를 분석하거나 이용

 

 

④ 보관: 분석 및 이용 결과와 관련된 데이터를 다양한 저장장치, 데이터 센터, 클라우드 서비스를 이용하여 보관

 

 

⑤ 재사용 및 폐기: 보관 데이터를 다른 목적을 위해 다시 사용하거나 일정기간 지나면 폐기 처분

 

 

 

2. 데이터 생태계에 적용되는 주요 공공정책

 

 

- 데이터 생애주기에 적용되는 공공정책: 개인정보보호, 저작권, 오픈데이터, 클라우드

 

 

 

 

 

 

- 데이터 환경에 적용되는 공공정책: 국가사이버보안정책, 교육 정책, 과학기술 정책 등

 

 

 

 

III. 데이터 기반 산업 관련 4대 공공정책 분석

 

 

1. 개인정보보호 정책

 

 

■ 개인정보는 자원으로서의 가치 상승과 함께 정보 프라이버시 보호에 대한 요구도 동시 증대

 

 

■ 정보주체의 동의 방식에 따라 옵트인(Opt-in)과 옵트아웃(Opt-out)

 

 

- 옵트인은 우선 통제권이 정보 주체인 개인에게 있고, 옵트아웃은 정보 사용자인 기업에게 있음

 

- 옵트인: 개인이 자신의 정보 이용에 대한 동의를 표하는 경우에만, 기업이 해당하는 개인정보를 이용 가능한 정책(동의할 권리)

 

- 옵트아웃: 개인이 자신의 정보 이용에 대해 거부를 표하는 경우에만, 기업이 해당하는 개인정보를 이용하지 못하는 정책(거부할 권리)

 

- 옵트인과 옵트아웃은 정책적 차이가 큼

 

 

 

 

 

 

데이터는 매우 한정적

 

 

 

■ 현재의 옵트인 방식에 대한 논의와 옵트아웃 방식으로의 전환 요구 대두

 

 

- 개인정보의 투입 시점부터 폐기까지의 과정에서 발생하는 비용과 이익을 누가 어떻게 향유하고 부담할 것인가에 대한 고려 필요

 

- 데이터 생명주기 단계, 조직 범위, 데이터 민감도 등 다양한 측면에서 옵트인과 옵트아웃을 유연하게 적용하는 방안 필요

 

- 개인정보 비식별화 제도 도입과 관련한 기술적, 법제도적, 가치 측면에서의 문제점 및 정책적 한계 대두

 

 

 

2. 데이터 저작권 및 소유권 정책

 

 

■ 현행법상 창작물로 인정되어 데이터 저작권을 보호받는 데이터는 매우 한정적

 

 

- 현행 저작권법 2조 1항은 저작물을 "인간의 사상 또는 감정을 표현한 창작물"로 정의

 

- 현행법상 기업의 내·외부에서 생성되는 모든 데이터의 저작권을 밝히고 이용 허가를 받는 것은 여러가지 측면에서 복잡

 

- 데이터 저작권은 창작물에 대한 권리만 보호하므로 경제적 가치가 있는 데이터 자원의 저작권 보호가 불가능

 

 

 

■ 데이터 정보 원천과 데이터 생성 주체가 다양한 데이터가 많아짐에 따라 데이터 소유권(Ownership)에 대한 이해관계가 복잡

 

 

- 정보 원천과 데이터 생성 주체에 따른 데이터 분류 및 데이터 소유권 이해관계

 

 

 

 

 

■ 2차 데이터의 소유권은 원시 데이터 사용 라이선스나 데이터 분석 및 재생산 소프트웨어 라이선스 계약으로 인해 더 복잡

 

 

 

 

3. 오픈 데이터 정책

 

 

■ 공공 데이터 활용 증대와 데이터 산업 활성화를 위해 현재 오픈 데이터 정책이 해결해야 할 과제 및 이슈에 대한 논의 필요

 

- 데이터 개방 확대 필요, 공개가 더 제한적인 건강, 보험, 재판, 수사 등 민감도가 높은 데이터에 대한 공개 여부, 공개 범위, 공개 방식에 대한 논의 필요

 

- 인공지능 학습과 데이터 분석을 위해 공개가 미흡한 공공 데이터 DB의 공개 확대를 위한 개방 원칙, 절차, 법적, 기술적 장치 마련 필요

 

- 공공 데이터 표준화 방안 필요

 

 

 

 

4. 클라우드 정책

 

 

■ 데이터 기반 산업 활성화를 위해 클라우드 서비스 관련 정책이 갖고 있는 현안과 이슈 해결 방안 필요

 

- 클라우드 기반 데이터 환경에 맞는 개인정보보호 정책 마련 필요

 

- 데이터 민감도 평가 기준 개발

 

 

 

 

IV. 정책적 제언

 

 

■ 4대 데이터 활동 정책 각각의 역할, 이슈와 쟁점, 생애주기의 영향력 범위에 대한 체계적이고 심도 깊은 이해가 필수적으로 선행되어야 함

 

 

- 데이터 기반 산업 관련 4대 공공정책의 주요 특징

 

 

 

Posted by manga0713

 

 

 

 

*** 출처: [kiri 보험연구원] 인공지능과 일자리 - 임준 연구위원

*** 문서:

KIRI_20180209_143955.pdf

 

 

 

 

■ 인공지능이 일자리에 미치는 영향에 대해서는 상반된 견해가 존재함

 

 

○ 직업 기반 접근법(Occupation-based approach)

 

- 전체 일자리의 35.7 ~ 59%가 대체될 가능성이 높다고 주장

 

 

○ 직무 기반 접근법(Task-based approach)

 

- 미국의 경우 단지 9%만 고위험군

- 경제적 실현 가능성(economic feasibility) 측면을 고려할 때 비용 측면에서 인공지능이 인간에 비해 이점이 없을 수 있다

 

 

 

■ 최근 들어 인공지능(artificial intelligence)과 로봇 기술이 빠르게 발전하면서 기술적 실업(technological unemployment)에 대한 우려가 제기되고 있음

 

- 기술적 실업: 기술 발전과 함께 기계가 인간을 대신함으로써 발생하는 실업을 의미함

 

 

○ 로봇 사용으로 인해 저급과 중급 기술자의 노동시간이 감소하였음

 

- Graetz and Michaels(2015)는 IFR의 데이터(1993~2007)를 사용하여 17개국을 대상으로 분석

 

- Acemoglu and Restrepo(2017), 미국을 대상으로 조사. 로봇 1대를 추가적으로 도입할 경우 평균적으로 6개의 일자리가 감소하였음

 

 

○ 로봇 도입의 직접적인 영향을 받는 산업에서의 고용효과뿐만 아니라 관련 산업에 미치는 간접 고용효과까지 명시적으로 고려한 연구에서는 로봇 도입이 고용을 증가하는 효과가 있음

 

- Dauth et al.(2017), 독일 노동시장 데이터와 IFR의 데이터를 결합 분석: 로봇 1대를 추가로 도입할 경우 제조업 일자리 2개 감소

 

- 그러나 서비스 산업에서는 그 이상의 새로운 일자리가 창출되어 전체적으로는 고용이 증가하는 효과가 있었음

 

 

 

■ 인공지능의 경우 아직 데이터가 축적되지 않아 실제 고용효과보다는 일자리 대체 가능성 관련 연구가 대부분

 

 

- Frey and Osborne(2017), 미국의 약 700여 개 직업(occupation)을 대상으로 대체 가능성에 대해 연구

 

- 대체 가능성 정도에 따라 고위험군, 중위험군, 저위험군으로 구분

 

- 미국 전체 일자리의 약 47%, 향후 10~20년 내에 인공지능에 의해 대체될 고위험군

 

- Brzeski and Burk(2015), 독일 노동시장, 59% 고위험군

 

- Pajarinen and Rouvinen(2014), 핀란드 노동시장, 35.7% 고위험군

 

 

 

■ 직무 기반 접근법에 의한 분석

 

 

- 동일한 직업 내에서도 직무에 있어서는 개인별로 상당한 편차를 보일 수 있으며, 이러한 점을 고려한다면 인공지능에 의한 대체 가능성은 '직업 기반 접근법'에 의한 추정치보다 낮아질 수 있음

 

- 기술적으로는 대신할 수 있다고 하더라도 비용 측면에서 상대적인 우위가 없다면 대체 시기는 늦어질 수 있음

Posted by manga0713

 

 

 

 

 

 

 

 

*** 출처: [iitp 정보통신기술진흥센터] 무인 점포 아마존 Go의 상품 구입 여부 인식 방법

*** 문서:

file3562560783035468247-183304.pdf

 

 

 

 

■ 아마존 Go 의 작동 방식, 미공개

 

 

○ 아마존 Go 동작 순서

 

- 매장 입장 시 전용 앱 실행 --> QR코드 인식 --> 상품 선택 (구매시점으로 파악, 반대의 경우 선택 포기로 인식 구매 목록에서 제거)  --> 쇼핑 끝 --> 전용 앱에 결제 청구 --> 영수증 발행

 

 

○ 구매(상품 선택)와 구매 포기(상품선택 포기) 시점, 의도 파악은 "컴퓨터 비전"과 "센서 퓨전" 기술을 사용하는 것으로 보임

 

- 입장 고객의 동선 파악이 중요한데 이를 위해서는 고객 정보와 카메라가 파악한 정보를 연결해 주는 키 값이 필요함

 

- 얼굴인식을 통해 고객을 특정하는 것은 아니기 때문에 고객의 모습에서 특징량을 파악하고 이를 키 값으로 사용해 고객을 추적하는 것으로 보임

 

- 진열대에 카메라와 저울이 탑재되어 있다고 함. 카메라는 고객이 선택한 상품을 인식하고, 저울은 선반의 무게를 측정하여 무게에 따라 상품의 선택, 포기를 인식하는 것으로 보임

 

 

○ 컴퓨터 비전과 센서 퓨전을 통해 수집된 일련의 데이터는 서버로 전송되고, 최종적으로 딥러닝 알고리즘이 어떤 고객이 얼마만큼의 상품을 구매하였는지 추정하는 것으로 보임

 

- 매장 내 쇼핑 활동에는 다양한 상황발생 요소가 있기 때문에 시스템은 다양한 상황을 학습해 나갈 필요가 있음

 

- 아마존 Go 앱에 따르면 현재 상품을 다른 사람에게 전달하는 행위는 금지되어 있음

 

 

 

■ 딥러닝 알고리즘을 학습시켜 고객 및 고객 행동 패턴의 정확도를 높이고 고객 행동 패턴의 의미를 학습시키는 과정이 아마존 Go의 성패를 좌우할 수 있음

 

- 오픈한 지 수 주일이 지났지만 특별히 큰 문제는 보고되지 않았으며, 판정 정확도는 실용화 가능한 수준으로 보임

 

 

 

■ 아마존은 아마존 Go의 확장에 대해 침묵

 

- 오픈한 매장의 구색을 보면 편의점 형태의 매장

 

- 매장 개설 비용이 이슈(수백 대의 카메라, 인공지능 시스템 설치 등의 높은 구축 비용)

Posted by manga0713

 

 

 

 

 

 

 

 

Posted by manga0713

 

 

 

Posted by manga0713

 

 

 

 

***출처: [US-CERT: Bulletin(SB18-043)] 2018년 2월 5일까지 발표된 보안 취약점

 

 

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no high vulnerabilities recorded this week.
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no medium vulnerabilities recorded this week.
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
abrt -- abrt
 
The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment. 2018-02-09 not yet calculated CVE-2015-1862
MISC(link is external)
MISC(link is external)
MISC(link is external)
FULLDISC
MLIST(link is external)
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
EXPLOIT-DB(link is external)
EXPLOIT-DB(link is external)
adobe -- flash_player
 
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to quality of service functionality. A successful attack can lead to arbitrary code execution. 2018-02-06 not yet calculated CVE-2018-4877
BID(link is external)
REDHAT(link is external)
MISC(link is external)
adobe -- flash_player
 
A use-after-free vulnerability was discovered in Adobe Flash Player before 28.0.0.161. This vulnerability occurs due to a dangling pointer in the Primetime SDK related to the handling of listener objects. A successful attack can lead to arbitrary code execution. This was exploited in the wild in January and February 2018. 2018-02-06 not yet calculated CVE-2018-4878
MISC(link is external)
BID(link is external)
SECTRACK(link is external)
REDHAT(link is external)
MISC(link is external)
MISC(link is external)
MISC(link is external)
MISC(link is external)
anymail -- anymail
 
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events. 2018-02-03 not yet calculated CVE-2018-6596
CONFIRM
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
DEBIAN
apache -- allura
 
In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable. 2018-02-06 not yet calculated CVE-2018-1299
CONFIRM
MLIST
apache -- cloudstack
 
In Apache CloudStack 4.1.0 and 4.1.1, when calling the CloudStack API call listProjectAccounts as a regular, non-administrative user, the user is able to see information for accounts other than their own. 2018-02-06 not yet calculated CVE-2013-4317
MLIST
apache -- cloudstack
 
Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another (non-"root") CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn accessing their account and resources. 2018-02-06 not yet calculated CVE-2016-6813
MLIST
BID(link is external)
MLIST
apache -- juddi
 
In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5. 2018-02-09 not yet calculated CVE-2018-1307
CONFIRM
CONFIRM
apache -- mod-gnutls
 
mod-gnutls does not validate client certificates when "GnuTLSClientVerify require" is set in a directory context, which allows remote attackers to spoof clients via a crafted certificate. 2018-02-03 not yet calculated CVE-2009-5144
CONFIRM(link is external)
MLIST(link is external)
CONFIRM
CONFIRM(link is external)
apache -- qpid_broker
 
A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQP 1.0 and HTTP connections are not affected. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called "Authentication Providers". Each Authentication Provider can support several SASL mechanisms which are offered to the connecting clients as part of SASL negotiation process. The client chooses the most appropriate SASL mechanism for authentication. Authentication Providers of following types supports PLAIN SASL mechanism: Plain, PlainPasswordFile, SimpleLDAP, Base64MD5PasswordFile, MD5, SCRAM-SHA-256, SCRAM-SHA-1. XOAUTH2 SASL mechanism is supported by Authentication Providers of type OAuth2. If an AMQP port is configured with any of these Authentication Providers, the Broker may be vulnerable. 2018-02-09 not yet calculated CVE-2018-1298
MLIST
apport -- apport
 
Apport through 2.20.7 does not properly handle core dumps from setuid binaries allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1324. 2018-02-02 not yet calculated CVE-2017-14177
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
UBUNTU(link is external)
apport -- apport
 
Apport 2.13 through 2.20.7 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges, a different vulnerability than CVE-2017-14179. 2018-02-02 not yet calculated CVE-2017-14180
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
UBUNTU(link is external)
apport -- apport
 
Apport before 2.13 does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. 2018-02-02 not yet calculated CVE-2017-14179
CONFIRM(link is external)
CONFIRM(link is external)
armmbed -- mbedtls
 
ARM mbedTLS version development branch, 2.7.0 and earlier contains a CWE-670, Incorrect condition control flow leading to incorrect return, leading to data loss vulnerability in ssl_write_real(), library/ssl_tls.c:7142 that can result in Leads to data loss, can be escalated to DoS and authorization bypass in application protocols. This attack appear to be exploitable via network connectivity. 2018-02-09 not yet calculated CVE-2018-1000061
CONFIRM(link is external)
artifex -- mupdf
 
pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document. 2018-02-02 not yet calculated CVE-2018-6544
MISC(link is external)
MISC(link is external)
MISC(link is external)
MISC(link is external)
artifex -- mupdf
 
Artifex Mupdf version 1.12.0 contains a Use After Free vulnerability in fz_keep_key_storable that can result in DOS / Possible code execution. This attack appear to be exploitable via Victim opens a specially crafted PDF. 2018-02-09 not yet calculated CVE-2018-1000051
CONFIRM(link is external)
CONFIRM(link is external)
atlassian -- bamboo
 
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. 2018-02-02 not yet calculated CVE-2017-18040
CONFIRM(link is external)
atlassian -- bamboo
 
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. 2018-02-02 not yet calculated CVE-2017-18042
CONFIRM(link is external)
atlassian -- bamboo
 
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. 2018-02-02 not yet calculated CVE-2017-18082
CONFIRM(link is external)
atlassian -- bamboo
 
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. 2018-02-02 not yet calculated CVE-2017-18080
CONFIRM(link is external)
atlassian -- bamboo
 
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie. 2018-02-02 not yet calculated CVE-2017-18081
CONFIRM(link is external)
atlassian -- bamboo
 
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. 2018-02-02 not yet calculated CVE-2017-18041
CONFIRM(link is external)
atlassian -- bitbucket_server
 
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.4 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.2 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.1 (the fixed version for 5.5.x) and before 5.6.0 allows remote attackers to read arbitrary files via a path traversal vulnerability through the name of a git tag. 2018-02-02 not yet calculated CVE-2017-18037
CONFIRM(link is external)
atlassian -- bitbucket_server
 
The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote attackers to determine if a service they could not otherwise reach has open ports via a Server Side Request Forgery (SSRF) vulnerability. 2018-02-02 not yet calculated CVE-2017-18036
BID(link is external)
CONFIRM(link is external)
atlassian -- bitbucket_server
 
The repository settings resource in Atlassian Bitbucket Server before version 5.6.0 allows remote attackers to read the first line of arbitrary files via a path traversal vulnerability through the default branch name. 2018-02-02 not yet calculated CVE-2017-18038
CONFIRM(link is external)
atlassian -- confluence_server The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. 2018-02-02 not yet calculated CVE-2017-18085
CONFIRM(link is external)
atlassian -- confluence_server
 
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. 2018-02-02 not yet calculated CVE-2017-18083
CONFIRM(link is external)
atlassian -- confluence_server
 
Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter. 2018-02-02 not yet calculated CVE-2017-18086
CONFIRM(link is external)
atlassian -- confluence_server
 
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro. 2018-02-02 not yet calculated CVE-2017-18084
CONFIRM(link is external)
atlassian -- fisheye_and_crucible
 
The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it. 2018-02-02 not yet calculated CVE-2017-18035
CONFIRM(link is external)
CONFIRM(link is external)
atlassian -- fisheye_and_crucible
 
The source browse resource in Atlassian FishEye and Crucible before version 4.5.1 and 4.6.0 allows allows remote attackers that have write access to an indexed repository to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in via a specially crafted repository branch name when trying to display deleted files of the branch. 2018-02-02 not yet calculated CVE-2017-18034
CONFIRM(link is external)
CONFIRM(link is external)
atlassian -- jira
 
The IncomingMailServers resource in Atlassian Jira from version 6.2.1 before version 7.4.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the messagesThreshold parameter. 2018-02-02 not yet calculated CVE-2017-18039
CONFIRM(link is external)
audacity -- audacity
 
Audacity before 2.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted FORMATCHUNK structure. 2018-02-07 not yet calculated CVE-2016-2540
CONFIRM
MISC(link is external)
audacity -- audacity
 
Audacity before 2.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted MP2 file. 2018-02-07 not yet calculated CVE-2016-2541
CONFIRM
MISC(link is external)
avaya -- aura
 
System Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, which allows remote attackers to bypass intended Remote Method Invocation (RMI) restrictions, aka SMGR-26896. 2018-02-05 not yet calculated CVE-2018-6635
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
bitpay -- insight-api
 
Bitpay/insight-api Insight-api version 5.0.0 and earlier contains a CWE-20: input validation vulnerability in transaction broadcast endpoint that can result in Full Path Disclosure. This attack appear to be exploitable via Web request. 2018-02-09 not yet calculated CVE-2018-1000023
CONFIRM(link is external)
boot2docker -- boot2docker Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'. 2018-02-06 not yet calculated CVE-2014-5282
CONFIRM(link is external)
CONFIRM(link is external)
boot2docker -- boot2docker
 
boot2docker 1.2 and earlier allows attackers to conduct cross-site request forgery (CSRF) attacks by leveraging Docker daemons enabling TCP connections without TLS authentication. 2018-02-06 not yet calculated CVE-2014-5280
CONFIRM(link is external)
boot2docker -- boot2docker
 
The Docker daemon managed by boot2docker 1.2 and earlier improperly enables unauthenticated TCP connections by default, which makes it easier for remote attackers to gain privileges or execute arbitrary code from children containers. 2018-02-06 not yet calculated CVE-2014-5279
CONFIRM(link is external)
borg -- borg_servers
 
Incorrect implementation of access controls allows remote users to override repository restrictions in Borg servers 1.1.x before 1.1.3. 2018-02-08 not yet calculated CVE-2017-15914
CONFIRM(link is external)
brocade -- fabric_os
 
Cross-site scripting (XSS) vulnerability in the web-based management interface of Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow remote attackers to execute arbitrary code or access sensitive browser-based information. 2018-02-08 not yet calculated CVE-2017-6225
CONFIRM(link is external)
brocade -- fabric_os
 
A vulnerability in the IPv6 stack on Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) versions before 7.4.2b, 8.1.2 and 8.2.0 could allow an attacker to cause a denial of service (CPU consumption and device hang) condition by sending crafted Router Advertisement (RA) messages to a targeted system. 2018-02-08 not yet calculated CVE-2017-6227
CONFIRM(link is external)
canvs_canvas -- canvs_canvas
 
Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code. 2018-02-09 not yet calculated CVE-2017-1000507
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
ccn-lite-ccnb2xml in CCN-lite before 2.0.0 allows context-dependent attackers to have unspecified impact via a crafted file, which triggers infinite recursion and a stack overflow. 2018-02-07 not yet calculated CVE-2017-12412
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
ccnl_ccntlv_bytes2pkt in CCN-lite allows context-dependent attackers to cause a denial of service (application crash) via vectors involving packets with "wrong L values." 2018-02-07 not yet calculated CVE-2017-12473
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
Memory leak in the ccnl_app_RX function in ccnl-uapi.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (memory consumption) via vectors involving an envelope_s structure pointer when the packet format is unknown. 2018-02-07 not yet calculated CVE-2017-12463
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
Integer overflow in the ndn_parse_sequence function in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors involving the typ and vallen variables. 2018-02-07 not yet calculated CVE-2017-12470
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via vectors involving the keyfile variable. 2018-02-07 not yet calculated CVE-2017-12464
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors related to ssl_halen when running ccn-lite-sim, which trigger an out-of-bounds access. 2018-02-07 not yet calculated CVE-2017-12466
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
Buffer overflow in util/ccnl-common.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging incorrect memory allocation. 2018-02-07 not yet calculated CVE-2017-12469
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
Memory leak in CCN-lite before 2.00 allows context-dependent attackers to cause a denial of service (memory consumption) by leveraging failure to allocate memory for the comp or complen structure member. 2018-02-07 not yet calculated CVE-2017-12467
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
Multiple integer overflows in CCN-lite before 2.00 allow context-dependent attackers to have unspecified impact via vectors involving the (1) vallen variable in the iottlv_parse_sequence function or (2) typ, vallen and i variables in the localrpc_parse function. 2018-02-07 not yet calculated CVE-2017-12465
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
Buffer overflow in ccn-lite-ccnb2xml.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact via vectors involving the vallen and len variables. 2018-02-07 not yet calculated CVE-2017-12468
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
The cnb_parse_lev function in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging failure to check for out-of-bounds conditions, which triggers an invalid read in the hexdump function. 2018-02-07 not yet calculated CVE-2017-12471
CONFIRM(link is external)
CONFIRM(link is external)
ccn-lite -- ccn-lite
 
ccnl-ext-mgmt.c in CCN-lite before 2.00 allows context-dependent attackers to have unspecified impact by leveraging missing NULL pointer checks after ccnl_malloc. 2018-02-07 not yet calculated CVE-2017-12472
CONFIRM(link is external)
CONFIRM(link is external)
cisco -- data_center_analytics_framework
 
A vulnerability in the web-based management interface of Cisco Data Center Analytics Framework could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvh02088. 2018-02-08 not yet calculated CVE-2018-0129
BID(link is external)
CONFIRM(link is external)
cisco -- data_center_analytics_framework
 
A vulnerability in the web-based management interface of Cisco Data Center Analytics Framework could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. Cisco Bug IDs: CSCvh02082. 2018-02-08 not yet calculated CVE-2018-0128
BID(link is external)
CONFIRM(link is external)
cisco -- email_security_appliance_and _content_security_management_appliance
 
A vulnerability in the spam quarantine of Cisco Email Security Appliance and Cisco Content Security Management Appliance could allow an authenticated, remote attacker to download any message from the spam quarantine by modifying browser string information. The vulnerability is due to a lack of verification of authenticated user accounts. An attacker could exploit this vulnerability by modifying browser strings to see messages submitted by other users to the spam quarantine within their company. Cisco Bug IDs: CSCvg39759, CSCvg42295. 2018-02-08 not yet calculated CVE-2018-0140
SECTRACK(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- firepower_system_software
 
A vulnerability in the detection engine of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass file policies that are configured to block files transmitted to an affected device via the BitTorrent protocol. The vulnerability exists because the affected software does not detect BitTorrent handshake messages correctly. An attacker could exploit this vulnerability by sending a crafted BitTorrent connection request to an affected device. A successful exploit could allow the attacker to bypass file policies that are configured to block files transmitted to the affected device via the BitTorrent protocol. Cisco Bug IDs: CSCve26946. 2018-02-08 not yet calculated CVE-2018-0138
CONFIRM(link is external)
cisco -- ios_and_ios_xe_software
 
A Path Traversal vulnerability in the diagnostic shell for Cisco IOS and IOS XE Software could allow an authenticated, local attacker to use certain diagnostic shell commands that can overwrite system files. These system files may be sensitive and should not be able to be overwritten by a user of the diagnostic shell. The vulnerability is due to lack of proper input validation for certain diagnostic shell commands. An attacker could exploit this vulnerability by authenticating to the device, entering the diagnostic shell, and providing crafted user input to commands at the local diagnostic shell CLI. Successful exploitation could allow the attacker to overwrite system files that should be restricted. Cisco Bug IDs: CSCvg41950. 2018-02-08 not yet calculated CVE-2018-0123
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- ios_xr_software A vulnerability in the forwarding information base (FIB) code of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause inconsistency between the routing information base (RIB) and the FIB, resulting in a denial of service (DoS) condition. The vulnerability is due to incorrect processing of extremely long routing updates. An attacker could exploit this vulnerability by sending a large routing update. A successful exploit could allow the attacker to trigger inconsistency between the FIB and the RIB, resulting in a DoS condition. Cisco Bug IDs: CSCus84718. 2018-02-08 not yet calculated CVE-2018-0132
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- policy_suite
 
A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to determine whether a subscriber username is valid. The vulnerability occurs because the Cisco Policy Suite RADIUS server component returns different authentication failure messages based on the validity of usernames. An attacker could use these messages to determine whether a valid subscriber username has been identified. The attacker could use this information in subsequent attacks against the system. Cisco Bug IDs: CSCvg47830. 2018-02-08 not yet calculated CVE-2018-0134
BID(link is external)
CONFIRM(link is external)

cisco -- policy_suite


 
A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to be authorized as a subscriber without providing a valid password; however, the attacker must provide a valid username. The vulnerability is due to incorrect RADIUS user credential validation. An attacker could exploit this vulnerability by attempting to access a Cisco Policy Suite domain configured with RADIUS authentication. An exploit could allow the attacker to be authorized as a subscriber without providing a valid password. This vulnerability affects the Cisco Policy Suite application running a release prior to 13.1.0 with Hotfix Patch 1 when RADIUS authentication is configured for a domain. Cisco Policy Suite Release 14.0.0 is also affected, as it includes vulnerable code, but RADIUS authentication is not officially supported in Cisco Policy Suite Releases 14.0.0 and later. Cisco Bug IDs: CSCvg40124. 2018-02-08 not yet calculated CVE-2018-0116
CONFIRM(link is external)

cisco -- prime_network


 
A vulnerability in the TCP throttling process of Cisco Prime Network could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient rate limiting protection for TCP listening ports. An attacker could exploit this vulnerability by sending the affected device a high rate of TCP SYN packets to the local IP address of the targeted application. A successful exploit could allow the attacker to cause the device to consume a high amount of memory and become slow, or to stop accepting new TCP connections to the application. Cisco Bug IDs: CSCvg48152. 2018-02-08 not yet calculated CVE-2018-0137
BID(link is external)
CONFIRM(link is external)

cisco -- rv132w_adsl2+_wireless-n_vpn_ and _rv134w_vdsl2_wireless-ac_vpn_routers


 
A vulnerability in the web interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to the absence of user authentication requirements for certain pages that are part of the web interface and contain confidential information for an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device and examining the HTTP response to the request. A successful exploit could allow the attacker to view configuration parameters, including the administrator password, for the affected device. Cisco Bug IDs: CSCvg92739, CSCvh60172. 2018-02-08 not yet calculated CVE-2018-0127
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- rv132w_adsl2+_wireless-n_vpn_and_rv134w_vdsl2_wireless-ac_vpn_routers
 
A vulnerability in the web interface of the Cisco RV132W ADSL2+ Wireless-N VPN and RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to execute arbitrary code and gain full control of an affected system, including issuing commands with root privileges. The attacker could also cause an affected system to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to an incomplete input validation on user-controlled input in an HTTP request to the targeted device. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user and gain full control of the affected system or cause it to reload, resulting in a DoS condition. This vulnerability is fixed in firmware version 1.0.1.11 for the following Cisco products: RV132W ADSL2+ Wireless-N VPN Router and RV134W VDSL2 Wireless-AC VPN Router. Cisco Bug IDs: CSCvg92737, CSCvh60170. 2018-02-08 not yet calculated CVE-2018-0125
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- spark
 
A vulnerability in certain authentication controls in the account services of Cisco Spark could allow an authenticated, remote attacker to interact with and view information on an affected device that would normally be prohibited. The vulnerability is due to the improper display of user-account tokens generated in the system. An attacker could exploit this vulnerability by logging in to the device with a token in use by another account. Successful exploitation could allow the attacker to cause a partial impact to the device's confidentiality, integrity, and availability. Cisco Bug IDs: CSCvg05206. 2018-02-08 not yet calculated CVE-2018-0119
CONFIRM(link is external)

cisco -- staros_operating_system_for_cisco_asr_5000_series_aggregation_services_routers


 
A vulnerability in the CLI of the Cisco StarOS operating system for Cisco ASR 5000 Series Aggregation Services Routers could allow an authenticated, local attacker to overwrite system files that are stored in the flash memory of an affected system. The vulnerability is due to insufficient validation of user-supplied input by the affected operating system. An attacker could exploit this vulnerability by injecting crafted command arguments into a vulnerable CLI command for the affected operating system. A successful exploit could allow the attacker to overwrite or modify arbitrary files that are stored in the flash memory of an affected system. To exploit this vulnerability, the attacker would need to authenticate to an affected system by using valid administrator credentials. Cisco Bug IDs: CSCvf93335. 2018-02-08 not yet calculated CVE-2018-0122
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- ucs_central
 
A vulnerability in an operations script of Cisco UCS Central could allow an authenticated, remote attacker to execute arbitrary shell commands with the privileges of the daemon user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by posting a crafted request to the user interface of Cisco UCS Central. This vulnerability affects Cisco UCS Central Software prior to Release 2.0(1c). Cisco Bug IDs: CSCve70825. 2018-02-08 not yet calculated CVE-2018-0113
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- unified_communications_manager
 
A vulnerability in Cisco Unified Communications Manager could allow an authenticated, remote attacker to access sensitive information on an affected system. The vulnerability exists because the affected software improperly validates user-supplied search input. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to retrieve sensitive information from the affected system. Cisco Bug IDs: CSCvf17644. 2018-02-08 not yet calculated CVE-2018-0135
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- unified_communications_manager
 
A vulnerability in the web framework of Cisco Unified Communications Manager could allow an authenticated, remote attacker to conduct an SQL injection attack against an affected system. The vulnerability exists because the affected software fails to validate user-supplied input in certain SQL queries that bypass protection filters. An attacker could exploit this vulnerability by submitting crafted HTTP requests that contain malicious SQL statements to an affected system. A successful exploit could allow the attacker to determine the presence of certain values in the database of the affected system. Cisco Bug IDs: CSCvg74810. 2018-02-08 not yet calculated CVE-2018-0120
BID(link is external)
SECTRACK(link is external)
CONFIRM(link is external)
cisco -- virtualized_packet_core-distributed_instance_software A vulnerability in the ingress packet processing functionality of the Cisco Virtualized Packet Core-Distributed Instance (VPC-DI) Software could allow an unauthenticated, remote attacker to cause both control function (CF) instances on an affected system to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient handling of user-supplied data by the affected software. An attacker could exploit this vulnerability by sending malicious traffic to the internal distributed instance (DI) network address on an affected system. A successful exploit could allow the attacker to cause an unhandled error condition on the affected system, which would cause the CF instances to reload and consequently cause the entire VPC to reload, resulting in the disconnection of all subscribers and a DoS condition on the affected system. This vulnerability affects Cisco Virtualized Packet Core-Distributed Instance (VPC-DI) Software N4.0 through N5.5 with the Cisco StarOS operating system 19.2 through 21.3. Cisco Bug IDs: CSCve17656. 2018-02-08 not yet calculated CVE-2018-0117
CONFIRM(link is external)
claymore -- dual_gpu_miner
 
The remote management interface in Claymore Dual Miner 10.5 and earlier is vulnerable to an unauthenticated format string vulnerability, allowing remote attackers to read memory or cause a denial of service. 2018-02-02 not yet calculated CVE-2018-6317
MISC(link is external)
EXPLOIT-DB(link is external)
claymore -- dual_gpu_miner
 
nanopool Claymore Dual Miner version 7.3 and earlier contains a Remote Code Execution vulnerability in API that can result in RCE by abusing the remote manager API. This attack appear to be exploitable via The victim must run the miner with read/write mode enabled. 2018-02-09 not yet calculated CVE-2018-1000049
MISC(link is external)
MISC(link is external)
cloudera -- cloudera
 
An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x before 1.2.0. Several web application vulnerabilities allow malicious authenticated users of CDSW to escalate privileges in CDSW. CDSW users can exploit these vulnerabilities in combination to gain root access to CDSW nodes, gain access to the CDSW database which includes Kerberos keytabs of CDSW users and bcrypt hashed passwords, and gain access to other privileged information such as session tokens, invitation tokens, and environment variables. 2018-02-04 not yet calculated CVE-2017-15536
CONFIRM(link is external)
cozy -- cozy
 
Cozy has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"attacker@example.com"' request, which can be followed by a password reset. 2018-02-07 not yet calculated CVE-2018-6824
MISC(link is external)
croogo -- croogo
 
Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code. 2018-02-09 not yet calculated CVE-2017-1000510
CONFIRM(link is external)
django -- django
 
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive. 2018-02-04 not yet calculated CVE-2018-6188
CONFIRM(link is external)
dojo -- dojo_toolkit
 
dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element. 2018-02-02 not yet calculated CVE-2018-6561
MISC(link is external)
dokuwiki -- dokuwiki
 
The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs. 2018-02-03 not yet calculated CVE-2017-18123
MISC(link is external)
MISC(link is external)
MISC(link is external)
MISC(link is external)
MLIST
MISC(link is external)
dolibarr -- dolibarr
 
Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code. 2018-02-09 not yet calculated CVE-2017-1000509
CONFIRM(link is external)
echor -- echor The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password. 2018-02-02 not yet calculated CVE-2014-1834
MLIST(link is external)
echor -- echor
 
The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table. 2018-02-02 not yet calculated CVE-2014-1835
MLIST(link is external)
XF(link is external)
edx -- edx
 
The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed. 2018-02-03 not yet calculated CVE-2015-2186
CONFIRM(link is external)
CONFIRM
efront -- cms
 
Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and earlier allows remote Professor users to obtain sensitive information via a full pathname in the other parameter. 2018-02-05 not yet calculated CVE-2015-4461
CONFIRM(link is external)
MISC(link is external)
electrum_technologies -- electrum_bitcoin_wallet
 
Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to version 3.0.5 contains a Missing Authorization vulnerability in JSONRPC interface that can result in Bitcoin theft, if the user's wallet is not password protected. This attack appear to be exploitable via The victim must visit a web page with specially crafted javascript. This vulnerability appears to have been fixed in 3.0.5. 2018-02-09 not yet calculated CVE-2018-1000022
MISC
MISC
CONFIRM(link is external)
MISC(link is external)
emc -- recoverpoint
 
An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Boxmgmt CLI may allow a malicious user with boxmgmt privileges to bypass Boxmgmt CLI and run arbitrary commands with root privileges. 2018-02-03 not yet calculated CVE-2018-1184
CONFIRM
SECTRACK(link is external)
emc -- recoverpoint
 
An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Admin CLI may allow a malicious user with admin privileges to escape from the restricted shell to an interactive shell and run arbitrary commands with root privileges. 2018-02-03 not yet calculated CVE-2018-1185
CONFIRM
SECTRACK(link is external)
epson -- airprint
 
Versions of Epson AirPrint released prior to January 19, 2018 contain a reflective cross-site scripting (XSS) vulnerability, which can allow untrusted users on the network to hijack a session cookie or perform other reflected XSS attacks on a currently logged-on user. 2018-02-08 not yet calculated CVE-2018-5550
MISC(link is external)
CONFIRM(link is external)
ether -- etherpad_lite
 
static/js/pad_utils.js in Etherpad Lite before v1.6.3 has XSS via window.location.href. 2018-02-08 not yet calculated CVE-2018-6834
CONFIRM(link is external)
CONFIRM(link is external)
ether -- etherpad_lite
 
node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions. 2018-02-08 not yet calculated CVE-2018-6835
CONFIRM(link is external)
CONFIRM(link is external)
exim -- exim
 
An issue was discovered in the SMTP listener in Exim 4.90 and earlier. By sending a handcrafted message, a buffer overflow may happen in a specific function. This can be used to execute code remotely. 2018-02-08 not yet calculated CVE-2018-6789
MLIST(link is external)
CONFIRM
extreme_networks -- extremewireless_wing An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated Stack Overflow in the RIM (Radio Interface Module) process running on the WiNG Access Point via crafted packets. 2018-02-04 not yet calculated CVE-2018-5787
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated Heap Overflow in the HSD Process over the MINT (Media Independent Tunnel) Protocol on the WiNG Access Point via crafted packets. 2018-02-04 not yet calculated CVE-2018-5793
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated Heap Overflow in the HSD Process over the MINT (Media Independent Tunnel) Protocol on the WiNG Access Point via crafted packets. 2018-02-04 not yet calculated CVE-2018-5791
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated Heap Overflow in the HSD Process over the MINT (Media Independent Tunnel) Protocol on the WiNG Access Point via crafted packets. 2018-02-04 not yet calculated CVE-2018-5792
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is an Smint_encrypt Hardcoded AES Key that can be used for packet decryption (obtaining cleartext credentials) by an attacker who has access to a wired port. 2018-02-04 not yet calculated CVE-2018-5797
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is Remote, Unauthenticated "Global" Denial of Service in the RIM (Radio Interface Module) over the MINT (Media Independent Tunnel) Protocol on the WiNG Access Point via crafted packets. 2018-02-04 not yet calculated CVE-2018-5790
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated Denial of Service in the RIM (Radio Interface Module) process running on the WiNG Access Point via crafted packets. 2018-02-04 not yet calculated CVE-2018-5788
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is No Authentication for the AeroScout Service via a crafted UDP packet. 2018-02-04 not yet calculated CVE-2018-5794
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Remote, Unauthenticated XML Entity Expansion Denial of Service on the WiNG Access Point / Controller via crafted XML entities to the Web User Interface. 2018-02-04 not yet calculated CVE-2018-5789
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is Arbitrary File Write from the WebGUI on the WiNG Access Point / Controller. 2018-02-04 not yet calculated CVE-2018-5795
CONFIRM(link is external)
extreme_networks -- extremewireless_wing
 
An issue was discovered in Extreme Networks ExtremeWireless WiNG 5.x before 5.8.6.9 and 5.9.x before 5.9.1.3. There is a Hidden Root Shell by entering the administrator password in conjunction with the 'service start-shell' CLI command. 2018-02-04 not yet calculated CVE-2018-5796
CONFIRM(link is external)
ezcode -- event_manager
 
SQL Injection exists in Event Manager 1.0 via the event.php id parameter or the page.php slug parameter. 2018-02-02 not yet calculated CVE-2018-6576
EXPLOIT-DB(link is external)
f5 -- big-ip
 
In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virtual server using the URL categorization feature may cause the Traffic Management Microkernel (TMM) to produce a core file when it receives malformed URLs during categorization. 2018-02-06 not yet calculated CVE-2017-6169
SECTRACK(link is external)
CONFIRM(link is external)
fasterxml -- jackson-databind
 
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. 2018-02-06 not yet calculated CVE-2017-15095
SECTRACK(link is external)
REDHAT(link is external)
REDHAT(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
DEBIAN
fasterxml -- jackson-databind
 
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. 2018-02-06 not yet calculated CVE-2017-7525
BID(link is external)
SECTRACK(link is external)
SECTRACK(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
REDHAT(link is external)
CONFIRM(link is external)
CONFIRM
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
DEBIAN
ffmpeg -- ffmpeg
 
Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted ASF file. 2018-02-08 not yet calculated CVE-2012-5359
MISC(link is external)
CONFIRM
ffmpeg -- ffmpeg
 
Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted QT file. 2018-02-08 not yet calculated CVE-2012-5360
MISC(link is external)
CONFIRM
ffmpeg -- ffmpeg
 
The decode_frame function in libavcodec/utvideodec.c in FFmpeg through 3.4.1 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file. 2018-02-04 not yet calculated CVE-2018-6621
BID(link is external)
CONFIRM
firebase -- firebase
 
Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. This attack appear to be exploitable via Attacker would only need to know email address of the victim on most cases.. This vulnerability appears to have been fixed in 3.8.1. 2018-02-09 not yet calculated CVE-2018-1000025
CONFIRM(link is external)
CONFIRM(link is external)
fishshell -- fish fish before 2.1.1 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/fishd.log.%s, (2) /tmp/.pac-cache.$USER, (3) /tmp/.yum-cache.$USER, or (4) /tmp/.rpm-cache.$USER. 2018-02-09 not yet calculated CVE-2014-3219
FEDORA
GENTOO
MLIST(link is external)
MLIST(link is external)
BID(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
flatpak -- flatpak
 
In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and 0.10.x before 0.10.3, crafted D-Bus messages to the host can be used to break out of the sandbox, because whitespace handling in the proxy is not identical to whitespace handling in the daemon. 2018-02-02 not yet calculated CVE-2018-6560
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
flexense -- diskboss
 
An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due to the usage of plaintext information from the handshake as input for the encryption key used for the encryption of the rest of the session, the server and client disclose sensitive information, such as the authentication credentials, to any man-in-the-middle (MiTM) listener. 2018-02-02 not yet calculated CVE-2018-5261
MISC(link is external)
flexense -- syncbreeze_enterprise A buffer overflow vulnerability in "Add command" functionality exists in Flexense SyncBreeze Enterprise <= 10.3.14. The vulnerability can be triggered by an authenticated attacker who submits more than 5000 characters as the command name. It will cause termination of the SyncBreeze Enterprise server and possibly remote command execution with SYSTEM privilege. 2018-02-06 not yet calculated CVE-2017-17996
FULLDISC
MISC(link is external)
flexense -- syncbreeze_enterprise
 
A buffer overflow vulnerability in the control protocol of Flexense SyncBreeze Enterprise v10.4.18 allows remote attackers to execute arbitrary code by sending a crafted packet to TCP port 9121. 2018-02-02 not yet calculated CVE-2018-6537
EXPLOIT-DB(link is external)
fmtlib -- fmtlib
 
fmtlib version prior to version 4.1.0 (before commit 0555cea5fc0bf890afe0071a558e44625a34ba85) contains a Memory corruption (SIGSEGV), CWE-134 vulnerability in fmt::print() library function that can result in Denial of Service. This attack appear to be exploitable via Specifying an invalid format specifier in the fmt::print() function results in a SIGSEGV (memory corruption, invalid write). This vulnerability appears to have been fixed in after commit 8cf30aa2be256eba07bb1cefb998c52326e846e7. 2018-02-09 not yet calculated CVE-2018-1000052
CONFIRM(link is external)
CONFIRM(link is external)
fortinet -- fortigate_fortidb Multiple cross-site scripting (XSS) vulnerabilities in Java number format exception handling in FortiGate FortiDB before 4.4.2 allow remote attackers to inject arbitrary web script or HTML via the conversationContext parameter to (1) admin/auditTrail.jsf, (2) mapolicymgmt/targetsMonitorView.jsf, (3) vascan/globalsummary.jsf, (4) vaerrorlog/vaErrorLog.jsf, (5) database/listTargetGroups.jsf, (6) sysconfig/listSystemInfo.jsf, (7) vascan/list.jsf, (8) network/router.jsf, (9) mapolicymgmt/editPolicyProfile.jsf, or (10) mapolicymgmt/maPolicyMasterList.jsf. 2018-02-09 not yet calculated CVE-2012-6347
CONFIRM(link is external)
MISC(link is external)
fortinet -- fortigate_utm_waf_appliances_with_fortios Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiGate UTM WAF appliances with FortiOS 4.3.x before 4.3.6 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) Endpoint Monitor, (2) Dialup List, or (3) Log&Report Display modules or the fields_sorted_opt parameter to (4) user/auth/list or (5) endpointcompliance/app_detect/predefined_sig_list. 2018-02-08 not yet calculated CVE-2012-0941
MISC
BID(link is external)
XF(link is external)
CONFIRM(link is external)
SECTRACK(link is external)
MISC(link is external)
fortinet -- fortiweb Multiple cross-site scripting (XSS) vulnerabilities in FortiWeb before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) redir or (2) mkey parameter to waf/pcre_expression/validate. 2018-02-09 not yet calculated CVE-2012-6346
CONFIRM(link is external)
MISC(link is external)
foxit -- foxit_reader_and_phantompdf
 
Heap-based buffer overflow in Foxit Reader and PhantomPDF 7.3.4.311 and earlier on Windows allows remote attackers to cause a denial of service (memory corruption and application crash) or potentially execute arbitrary code via the Bezier data in a crafted PDF file. 2018-02-07 not yet calculated CVE-2016-6169
MISC(link is external)
CONFIRM(link is external)
foxit -- foxit_reader_and_phantompdf
 
Use-after-free vulnerability in Foxit Reader and PhantomPDF 7.3.4.311 and earlier on Windows allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a crafted PDF file. 2018-02-07 not yet calculated CVE-2016-6168
MISC(link is external)
CONFIRM(link is external)
freebsd -- freebsd
 
patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before 10.2-BETA2-p3, 10.2-RC1 before 10.2-RC1-p2, and 0.2-RC2 before 10.2-RC2-p1 allows remote attackers to execute arbitrary commands via a crafted patch file. 2018-02-05 not yet calculated CVE-2015-1418
BID(link is external)
SECTRACK(link is external)
FREEBSD
freebsd -- freebsd
 
The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 before 10.2-RC2-p1, 10.2-RC1 before 10.2-RC1-p2, 10.2 before 10.2-BETA2-p3, and 10.1 before 10.1-RELEASE-p17 allows remote authenticated users to cause a denial of service (assertion failure and daemon exit) via a query from a network that is not directly connected. 2018-02-05 not yet calculated CVE-2015-5674
BID(link is external)
SECTRACK(link is external)
FREEBSD
freebsd -- freebsd
 
Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file. 2018-02-05 not yet calculated CVE-2015-1416
MLIST(link is external)
MLIST(link is external)
MLIST(link is external)
MLIST(link is external)
BID(link is external)
SECTRACK(link is external)
FREEBSD
fuji_electric -- v-server_vpr
 
A Stack-based Buffer Overflow issue was discovered in Fuji Electric V-Server VPR 4.0.1.0 and prior. The stack-based buffer overflow vulnerability has been identified, which may allow remote code execution. 2018-02-05 not yet calculated CVE-2018-5442
BID(link is external)
MISC
futomi -- mp_form_mail_cgi_ecommerce_edition
 
MP Form Mail CGI eCommerce Edition Ver 2.0.13 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. 2018-02-08 not yet calculated CVE-2018-0514
CONFIRM(link is external)
JVN(link is external)
gifsicle -- gifsicle
 
A double-free bug in the read_gif function in gifread.c in gifsicle 1.90 allows a remote attacker to cause a denial-of-service attack or unspecified other impact via a maliciously crafted file, because last_name is mishandled, a different vulnerability than CVE-2017-1000421. 2018-02-02 not yet calculated CVE-2017-18120
MISC
MISC
MISC(link is external)
MISC(link is external)
git -- git
 
GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack). 2018-02-09 not yet calculated CVE-2018-1000021
MISC(link is external)
gnome -- librsvg
 
GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows. 2018-02-09 not yet calculated CVE-2018-1000041
CONFIRM(link is external)
CONFIRM(link is external)
gnu -- binutils
 
The elf_parse_notes function in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (out-of-bounds read and segmentation violation) via a note with a large alignment. 2018-02-09 not yet calculated CVE-2018-6872
CONFIRM
CONFIRM
gnu -- binutils
 
The bfd_get_debug_link_info_1 function in opncls.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, has an unchecked strnlen operation. Remote attackers could leverage this vulnerability to cause a denial of service (segmentation fault) via a crafted ELF file. 2018-02-06 not yet calculated CVE-2018-6759
CONFIRM
gnu -- binutils
 
In GNU Binutils 2.30, there's an integer overflow in the function load_specific_debug_section() in objdump.c, which results in `malloc()` with 0 size. A crafted ELF file allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. 2018-02-02 not yet calculated CVE-2018-6543
MISC
gnu -- c_library
 
The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. 2018-02-02 not yet calculated CVE-2018-6551