| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| IBM QRadar 7.2 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM Reference #: 1999545. |
| The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when "Internet pass-thru Mode" is enabled, which allows attackers with access to STA side LAN can obtain files or data. |
| go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated. |
| LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. |
| Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP. |
| A denial of service vulnerability exists in the IOCTL handling functionality of Kaspersky Internet Security KL1 driver. A specially crafted IOCTL signal can cause an access violation in KL1 kernel driver resulting in local system denial of service. An attacker can run a program from user-mode to trigger this vulnerability. |
| A denial of service vulnerability exists in the syscall filtering functionality of Kaspersky Internet Security KLIF driver. A specially crafted native api call can cause a access violation in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability. |
| A denial of service vulnerability exists in the syscall filtering functionality of the Kaspersky Internet Security KLIF driver. A specially crafted native api call request can cause a access violation exception in KLIF kernel driver resulting in local denial of service. An attacker can run program from user-mode to trigger this vulnerability. |
| Firejail 0.9.38.4 allows local users to execute arbitrary commands outside of the sandbox via a crafted TIOCSTI ioctl call. |
| The route manager in FlightGear before 2016.4.4 allows remote attackers to write to arbitrary files via a crafted Nasal script. |
| IBM UrbanCode Deploy could allow an authenticated attacker with special permissions to craft a script on the server in a way that will cause processes to run on a remote UCD agent machine. |
| IBM BigFix Remote Control 9.1.3 could allow a remote attacker to perform actions reserved for an administrator without authentication. IBM X-Force ID: 5512. |
| The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors. |
| MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command. |
| IBM UrbanCode Deploy could allow a malicious user to access the Agent Relay ActiveMQ Broker JMX interface and run plugins on the agent. |
| HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. |
| Cybozu Garoon before 4.2.2 allows remote attackers to bypass login authentication via vectors related to API use. |
| The session management of the comment functionality in appleple a-blog cms 2.6.0.1 and earlier allows remote attackers to obtain or modify sensitive data via unspecified vectors. |
| An issue was discovered on OnePlus devices such as the 3T. The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and allows for remote exploitation of other vulnerabilities such as CVE-2017-5948, CVE-2017-8850, and CVE-2017-8851. |
| Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites |
