Vulnerabilities (CVE)

Total 18424 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-6131 1 F5 9 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Application Acceleration Manager and 6 more 2017-07-08 7.5 HIGH 9.8 CRITICAL
In some circumstances, an F5 BIG-IP version 12.0.0 to 12.1.2 and 13.0.0 Azure cloud instance may contain a default administrative password which could be used to remotely log into the BIG-IP system. The impacted administrative account is the Azure instance administrative user that was created at deployment. The root and admin accounts are not vulnerable. An attacker may be able to remotely access the BIG-IP host via SSH.
CVE-2017-3094 1 Adobe 1 Digital Editions 2017-07-08 10.0 HIGH 9.8 CRITICAL
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF processing engine. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3089 1 Adobe 1 Digital Editions 2017-07-08 10.0 HIGH 9.8 CRITICAL
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF imaging model. Successful exploitation could lead to arbitrary code execution.
CVE-2017-3093 1 Adobe 1 Digital Editions 2017-07-08 10.0 HIGH 9.8 CRITICAL
Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the bitmap representation module. Successful exploitation could lead to arbitrary code execution.
CVE-2017-7903 1 Rockwellautomation 21 1763-l16awa Series A, 1763-l16awa Series B, 1763-l16bbb Series A and 18 more 2017-07-08 5.0 MEDIUM 9.8 CRITICAL
A Weak Password Requirements issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. The affected products use a numeric password with a small maximum character size for the password.
CVE-2017-7317 1 Humaxdigital 2 Hg100r, Hg100r Firmware 2017-07-07 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Humax Digital HG100 2.0.6 devices. The attacker can find the root credentials in the backup file, aka GatewaySettings.bin.
CVE-2017-4989 1 Emc 1 Avamar Server 2017-07-07 7.5 HIGH 9.8 CRITICAL
In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows.
CVE-2017-9848 1 Easysitecms 1 Easysite 2017-07-07 7.5 HIGH 9.8 CRITICAL
SQL injection vulnerability in C_InfoService.asmx in WebServices in Easysite 7.0 could allow remote attackers to execute arbitrary SQL commands via an XML document containing a crafted ArticleIDs element within a GetArticleHitsArray element.
CVE-2017-4990 1 Emc 1 Avamar Server 2017-07-07 7.5 HIGH 9.8 CRITICAL
In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-233, 7.3.0-226, an unauthorized attacker may leverage the file upload feature of the system maintenance page to load a maliciously crafted file to any directory which could allow the attacker to execute arbitrary code on the Avamar Server system.
CVE-2017-9466 1 Tp-link 2 Wr841n V8, Wr841n V8 Firmware 2017-07-06 7.5 HIGH 9.8 CRITICAL
The executable httpd on the TP-Link WR841N V8 router before TL-WR841N(UN)_V8_170210 contained a design flaw in the use of DES for block encryption. This resulted in incorrect access control, which allowed attackers to gain read-write access to system settings through the protected router configuration service tddp via the LAN and Ath0 (Wi-Fi) interfaces.
CVE-2017-10670 1 Xoev 1 Osci Transport Library 2017-07-06 7.5 HIGH 9.8 CRITICAL
An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as used in OSCI Transport Library 1.6.1 (Java) and OSCI Transport Library 1.6 (.NET), exploitable by sending a crafted standard-conforming OSCI message from within the infrastructure.
CVE-2017-9097 1 Hoytech 1 Antiweb 2017-07-05 6.4 MEDIUM 9.1 CRITICAL
In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through 3.21.2, WS100 devices through 3.30.5, EC150 devices through 1.40.0, WS200 devices through 3.30.4, EC250 devices through 1.40.0, and other products, an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique, as demonstrated by reading the password file, or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file.
CVE-2017-9246 1 Newrelic 1 .net Agent 2017-07-05 7.5 HIGH 9.8 CRITICAL
New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe applications via vectors involving failure to escape quotes during use of the Slow Queries feature, as demonstrated by a mishandled quote in a VALUES clause of an INSERT statement, after bypassing a SET SHOWPLAN_ALL ON protection mechanism.
CVE-2016-5411 1 Redhat 2 Enterprise Linux, Quickstart Cloud Installer 2017-07-05 10.0 HIGH 9.8 CRITICAL
/var/lib/ovirt-engine/setup/engine-DC-config.py in Red Hat QuickStart Cloud Installer (QCI) before 1.0 GA is created world readable and contains the root password of the deployed system.
CVE-2017-9830 1 Code42 1 Crashplan 2017-07-05 7.5 HIGH 9.8 CRITICAL
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
CVE-2015-1778 1 Opendaylight 1 Opendaylight 2017-07-05 7.5 HIGH 9.8 CRITICAL
The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.
CVE-2017-2773 1 Pivotal Software 1 Cloud Foundry Elastic Runtime 2017-07-03 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users in multiple components included in PCF Elastic Runtime, aka an "Unauthenticated JWT signing algorithm in multiple components" issue.
CVE-2016-9849 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-6525 2 Artifex, Debian 2 Mupdf, Debian Linux 2017-07-01 7.5 HIGH 9.8 CRITICAL
Heap-based buffer overflow in the pdf_load_mesh_params function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a large decode array.
CVE-2016-6629 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 10.0 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin involving the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.