| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not send the HSTS Strict-Transport-Security header, which makes it easier for man-in-the-middle attackers to hijack sessions or obtain sensitive information by leveraging the presence of HTTP requests. |
| Incomplete blacklist vulnerability in the Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, Link Controller, and PSM 11.x before 11.2.1 HF11, 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; BIG-IP AAM 11.4.0 before HF8 and 11.4.1 before HF6; BIG-IP AFM and PEM 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; and BIG-IP Edge Gateway, WebAccelerator, and WOM 11.x before 11.2.1 HF11 and 11.3.0 allows remote authenticated users to upload files via uploadImage.php. |
| Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers' installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation. |
| The Java Glassfish Admin Console in HP Executive Scorecard 9.40 and 9.41 does not require authentication, which allows remote attackers to execute arbitrary code via a session on TCP port 10001, aka ZDI-CAN-2116. |
| The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. |
| The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. |
| Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote attackers to affect confidentiality via unknown vectors. |
| admin/plugin.php in Piwigo through 2.8.3 doesn't validate the sections variable while using it to include files. This can cause information disclosure and code execution if it contains a .. sequence. |
| steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. |
| Hanvon FaceID before 1.007.110 does not require authentication, which allows remote attackers to modify access-control and attendance-tracking data via API commands. |
| Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.4.0 and 8.5.1 through 8.5.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-5558, CVE-2016-5574, CVE-2016-5577, CVE-2016-5578, and CVE-2016-5579. |
| Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, and 12.0.1 through 12.0.3 allows remote authenticated users to affect confidentiality via vectors related to INFRA. |
| Unspecified vulnerability in the PeopleSoft Enterprise SCM Services Procurement component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. |
| The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule. |
| nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows does not properly restrict access to the stereosvrpipe named pipe, which allows local users to gain privileges via a commandline in a number 2 command, which is stored in the HKEY_LOCAL_MACHINE explorer Run registry key, a different vulnerability than CVE-2011-4784. |
| The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. |
| Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116. |
| ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. |
| Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 does not properly restrict access to the (1) Design Mode and (2) Debug Logger mode modules, which allows remote attackers to gain privileges via crafted "received parameters." |
| The diagnosis_control.php page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to download PCAP files via vectors related to the UserName GET parameter. |
