Fwd: SB17-058: Vulnerability Summary for the Week of February 20, 2017
RICHARD BARTH
w3hwn at comcast.net
Mon Feb 27 16:54:29 CST 2017
[U.S. Department of Homeland Security US-CERT]
National Cyber Awareness System:
SB17-058: Vulnerability Summary for the Week of February 20, 2017 https://www.us-cert.gov/ncas/bulletins/SB17-058
02/27/2017 08:19 AM EST
Original release date: February 27, 2017
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology http://www.nist.gov (NIST) National Vulnerability Database http://nvd.nist.gov (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security http://www.dhs.gov (DHS) National Cybersecurity and Communications Integration Center https://www.us-cert.gov/nccic (NCCIC) / United States Computer Emergency Readiness Team https://www.us-cert.gov (US-CERT). For modified or updated entries, please visit the NVD http://nvd.nist.gov , which contains historical vulnerability information.
The vulnerabilities are based on the CVE http://cve.mitre.org/ vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System http://nvd.nist.gov/cvss.cfm (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
* High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
* Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
* Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
aerospike -- database_server An exploitable out-of-bounds write vulnerability exists in the batch transaction field parsing functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause an out-of-bounds write resulting in memory corruption which can lead to remote code execution. An attacker can simply connect to the port to trigger this vulnerability. 2017-02-21 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9051&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-9051 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9051
MISC http://www.talosintelligence.com/reports/TALOS-2016-0265/
aerospike -- database_server An exploitable out-of-bounds indexing vulnerability exists within the RW fabric message particle type of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause the server to fetch a function table outside the bounds of an array resulting in remote code execution. An attacker can simply connect to the port to trigger this vulnerability. 2017-02-21 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9053&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-9053 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9053
MISC http://www.talosintelligence.com/reports/TALOS-2016-0267/
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "WebSheet" component, which allows attackers to bypass a sandbox protection mechanism via unspecified vectors. 2017-02-20 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7630&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-7630 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7630
CONFIRM https://support.apple.com/HT207422
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "AppleGraphicsControl" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4662&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-4662 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4662
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (MIG code mishandling and system crash) via unspecified vectors. 2017-02-20 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4669&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-4669 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4669
BID http://www.securityfocus.com/bid/93849
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ImageIO" component. It allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write and application crash) via a crafted PDF file. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4671&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-4671 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4671
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "libxpc" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4675&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-4675 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4675
BID http://www.securityfocus.com/bid/93849
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "Thunderbolt" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4780&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-4780 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4780
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7582&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7582 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7582
BID http://www.securityfocus.com/bid/94435
CONFIRM https://support.apple.com/HT207170
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7596&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7596 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7596
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7602&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7602 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7602
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages object-lifetime mishandling during process spawning. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7613&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7613 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7613
BID http://www.securityfocus.com/bid/94116
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (type confusion) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7617&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7617 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7617
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "kext tools" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7629&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7629 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7629
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Directory Services" component. It allows local users to gain privileges or cause a denial of service (use-after-free) via unspecified vectors. 2017-02-20 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7633&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-7633 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7633
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. The issue involves the "Power Management" component. It allows local users to gain privileges via unspecified vectors related to Mach port name references. 2017-02-20 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7661&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-7661 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7661
BID http://www.securityfocus.com/bid/94906
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.3 is affected. The issue involves the "Bluetooth" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2353&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2017-2353 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2353
BID http://www.securityfocus.com/bid/95723
CONFIRM https://support.apple.com/HT207483
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.3 is affected. The issue involves the "Graphics Drivers" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2358&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2017-2358 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2358
BID http://www.securityfocus.com/bid/95723
CONFIRM https://support.apple.com/HT207483
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOHIDFamily" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7591&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7591 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7591
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7606&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7606 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7606
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7612&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7612 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7612
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Disk Images" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7616&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7616 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7616
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows local users to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via unspecified vectors. 2017-02-20 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7621&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-7621 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7621
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors. 2017-02-20 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7637&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-7637 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7637
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7644&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2016-7644 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7644
BID http://www.securityfocus.com/bid/94904
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "syslog" component. It allows local users to gain privileges via unspecified vectors related to Mach port name references. 2017-02-20 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7660&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-7660 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7660
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "CoreFoundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted string. 2017-02-20 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7663&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-7663 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7663
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (use-after-free) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2360&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2017-2360 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2360
BID http://www.securityfocus.com/bid/95729
BID http://www.securityfocus.com/bid/95731
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207483
CONFIRM https://support.apple.com/HT207485
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. macOS before 10.12.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (buffer overflow) via a crafted app. 2017-02-20 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2370&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2017-2370 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2370
BID http://www.securityfocus.com/bid/95731
MISC https://bugs.chromium.org/p/project-zero/issues/detail?id=1004
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207483
CONFIRM https://support.apple.com/HT207485
CONFIRM https://support.apple.com/HT207487
cmsmadesimple -- form_builder CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to execute PHP code via the cntnt01fbrp_forma_form_template parameter in admin_store_form. 2017-02-21 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6070&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6070 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6070
MISC http://dev.cmsmadesimple.org/project/files/69
MISC https://daylight-it.com/security-advisory-dlcs0001.html
dell -- sonicwall_secure_remote_access_server The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in its web administrative interface. These vulnerabilities occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile' or 'currentTSREmailTo' variables before making a call to system(), allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. 2017-02-22 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9682&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-9682 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9682
CONFIRM http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868
dell -- sonicwall_secure_remote_access_server The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'extensionsettings' CGI (/cgi-bin/extensionsettings) component responsible for handling some of the server's internal configurations. The CGI application doesn't properly escape the information it's passed when processing a particular multi-part form request involving scripts. The filename of the 'scriptname' variable is read in unsanitized before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. This is SonicWall Issue ID 181195. 2017-02-22 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9683&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-9683 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9683
CONFIRM http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868
MISC http://pastebin.com/eJbeXgBr
dell -- sonicwall_secure_remote_access_server The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'viewcert' CGI (/cgi-bin/viewcert) component responsible for processing SSL certificate information. The CGI application doesn't properly escape the information it's passed in the 'CERT' variable before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. 2017-02-22 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9684&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-9684 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9684
CONFIRM http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868
MISC http://pastebin.com/g1e2qU6N
disksavvy -- disksavvy_enterprise Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4.18 allows remote attackers to execute arbitrary code via a long URI in a GET request. 2017-02-22 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6187&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6187 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6187
EXPLOIT-DB https://www.exploit-db.com/exploits/41436/
dlink -- websmart_dgs-1510_series_firmware D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Command Bypass attacks via unspecified vectors. 2017-02-23 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6205&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6205 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6205
CONFIRM http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10070
facebook -- hhvm Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6870&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6870 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6870
MLIST http://www.openwall.com/lists/oss-security/2016/08/11/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/19/1
CONFIRM https://github.com/facebook/hhvm/commit/365abe807cab2d60dc9ec307292a06181f77a9c2
facebook -- hhvm Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. 2017-02-17 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6871&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6871 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6871
MLIST http://www.openwall.com/lists/oss-security/2016/08/11/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/19/1
CONFIRM https://github.com/facebook/hhvm/commit/c00fc9d3003eb06226b58b6a48555f1456ee2475
facebook -- hhvm Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6872&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6872 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6872
MLIST http://www.openwall.com/lists/oss-security/2016/08/11/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/19/1
CONFIRM https://github.com/facebook/hhvm/commit/2c9a8fcc73a151608634d3e712973d192027c271
facebook -- hhvm Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6873&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6873 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6873
MLIST http://www.openwall.com/lists/oss-security/2016/08/11/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/19/1
CONFIRM https://github.com/facebook/hhvm/commit/e264f04ae825a5d97758130cf8eec99862517e7e
facebook -- hhvm The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. 2017-02-17 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6874&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6874 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6874
MLIST http://www.openwall.com/lists/oss-security/2016/08/11/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/19/1
CONFIRM https://github.com/facebook/hhvm/commit/05e706d98f748f609b19d8697e490eaab5007d69
facebook -- hhvm Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6875&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6875 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6875
MLIST http://www.openwall.com/lists/oss-security/2016/08/11/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/19/1
CONFIRM https://github.com/facebook/hhvm/commit/1888810e77b446a79a7674784d5f139fcfa605e2
linux -- linux_kernel Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology. 2017-02-22 7.2 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-8636&vector=(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVE-2016-8636 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8636
CONFIRM http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=647bf3d8a8e5777319da92af672289b2a6c4dc66
CONFIRM http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.10
MLIST http://www.openwall.com/lists/oss-security/2017/02/11/9
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1421981
MISC https://eyalitkin.wordpress.com/2017/02/11/cve-publication-cve-2016-8636/
CONFIRM https://github.com/torvalds/linux/commit/647bf3d8a8e5777319da92af672289b2a6c4dc66
linux -- linux_kernel Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. 2017-02-18 7.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5986&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:C) CVE-2017-5986 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5986
CONFIRM http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2dcab598484185dea7ec22219c76dcdd59e3cb90
CONFIRM http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
MLIST http://www.openwall.com/lists/oss-security/2017/02/14/6
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1420276
CONFIRM https://github.com/torvalds/linux/commit/2dcab598484185dea7ec22219c76dcdd59e3cb90
linux -- linux_kernel Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786. 2017-02-18 7.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6001&vector=(AV:N/AC:H/Au:N/C:C/I:C/A:C) CVE-2017-6001 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6001
CONFIRM http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=321027c1fe77f892f4ea07846aeae08cefbbb290
CONFIRM http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.7
MLIST http://www.openwall.com/lists/oss-security/2017/02/16/1
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1422825
CONFIRM https://github.com/torvalds/linux/commit/321027c1fe77f892f4ea07846aeae08cefbbb290
linux -- linux_kernel The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to obtain root privileges or cause a denial of service (double free) via an application that makes an IPV6_RECVPKTINFO setsockopt system call. 2017-02-18 9.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6074&vector=(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-2017-6074 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6074
MLIST http://www.openwall.com/lists/oss-security/2017/02/22/3
CONFIRM https://github.com/torvalds/linux/commit/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
mail-masta -- mail-masta_plugin A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id. 2017-02-21 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6095&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-6095 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6095
MISC https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
metalgenix -- genixcms CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation of privileges. The forgotpassword.php page can be used to acquire a token. 2017-02-21 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5959&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-5959 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5959
CONFIRM https://github.com/semplon/GeniXCMS/issues/70
CONFIRM https://github.com/semplon/GeniXCMS/releases/tag/v1.0.2
netgear -- dgn2200_firmware ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request. 2017-02-22 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6077&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-6077 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6077
EXPLOIT-DB https://www.exploit-db.com/exploits/41394/
trendmicro -- interscan_web_security_virtual_appliance Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to run arbitrary commands on the system as root via Patch Update functionality. This was resolved in Version 6.5 CP 1737. 2017-02-21 9.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9269&vector=(AV:N/AC:L/Au:S/C:C/I:C/A:C) CVE-2016-9269 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9269
CONFIRM https://success.trendmicro.com/solution/1116672
zyxel -- usg50_firmware Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial of service (CPU consumption) via a flood of ICMPv4 Port Unreachable packets. 2017-02-21 7.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-10227&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-10227 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10227
MISC http://www.zyxel.com/support/announcement_blacknurse_attack.shtml
MISC https://cxsecurity.com/issue/WLB-2017020177
Back to top https://www.us-cert.gov#top
Medium Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
aerospike -- database_server An exploitable denial-of-service vulnerability exists in the fabric-worker component of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause the server process to dereference a null pointer. An attacker can simply connect to a TCP port in order to trigger this vulnerability. 2017-02-21 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9049&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-9049 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9049
MISC http://www.talosintelligence.com/reports/TALOS-2016-0263/
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2350&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-2350 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2350
BID http://www.securityfocus.com/bid/95727
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2362&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2362 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2362
BID http://www.securityfocus.com/bid/95727
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2365&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-2365 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2365
BID http://www.securityfocus.com/bid/95727
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2369&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2369 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2369
BID http://www.securityfocus.com/bid/95727
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
apple -- apple_tv An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2373&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2373 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2373
BID http://www.securityfocus.com/bid/95727
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
apple -- garageband An issue was discovered in certain Apple products. GarageBand before 10.1.6 is affected. The issue involves the "Projects" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted GarageBand project file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2374&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2374 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2374
CONFIRM https://support.apple.com/HT207518
apple -- icloud An issue was discovered in certain Apple products. iCloud before 6.0.1 is affected. The issue involves the setup subsystem in the "iCloud" component. It allows local users to gain privileges via a crafted dynamic library in an unspecified directory. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7583&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-7583 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7583
BID http://www.securityfocus.com/bid/94570
CONFIRM https://support.apple.com/HT207273
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Sandbox Profiles" component, which allows attackers to read photo-directory metadata via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4664&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-4664 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4664
BID http://www.securityfocus.com/bid/93854
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Sandbox Profiles" component, which allows attackers to read audio-recording metadata via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4665&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-4665 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4665
BID http://www.securityfocus.com/bid/93854
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "Kernel" component. It allows attackers to obtain sensitive information from kernel memory via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4680&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-4680 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4680
BID http://www.securityfocus.com/bid/93854
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the "iTunes Backup" component, which improperly hashes passwords, making it easier to decrypt files. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4685&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-4685 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4685
BID http://www.securityfocus.com/bid/94432
CONFIRM https://support.apple.com/HT207271
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Mail" component, which does not alert the user to an S/MIME email signature that used a revoked certificate. 2017-02-20 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4689&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-4689 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4689
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Image Capture" component, which allows attackers to execute arbitrary code via a crafted USB HID device. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4690&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4690 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4690
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "SpringBoard" component, which allows physically proximate attackers to bypass the passcode attempt counter and unlock a device via unspecified vectors. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4781&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4781 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4781
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the "Safari" component, which allows remote web servers to cause a denial of service via a crafted URL. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7581&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7581 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7581
BID http://www.securityfocus.com/bid/94432
CONFIRM https://support.apple.com/HT207271
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Local Authentication" component, which does not honor the configured screen-lock time interval if the Touch ID prompt is visible. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7601&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-7601 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7601
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Graphics Driver" component, which allows remote attackers to cause a denial of service via a crafted video. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7665&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7665 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7665
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "WebKit" component, which allows XSS attacks against Safari. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7762&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-7762 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7762
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "Contacts" component. It allows remote attackers to cause a denial of service (application crash) via a crafted contact card. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2368&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-2368 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2368
BID http://www.securityfocus.com/bid/95722
CONFIRM https://support.apple.com/HT207482
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "WebKit" component, which allows remote attackers to launch popups via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2371&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-2371 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2371
BID http://www.securityfocus.com/bid/95735
CONFIRM https://support.apple.com/HT207482
apple -- itunes An issue was discovered in certain Apple products. Safari before 10.0.1 is affected. iCloud before 6.0.1 is affected. iTunes before 12.5.2 is affected. tvOS before 10.0.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4613&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-4613 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4613
BID http://www.securityfocus.com/bid/93949
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207272
CONFIRM https://support.apple.com/HT207273
CONFIRM https://support.apple.com/HT207274
apple -- itunes An issue was discovered in certain Apple products. iOS before 10 is affected. Safari before 10 is affected. iTunes before 12.5.1 is affected. tvOS before 10 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4764&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4764 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4764
BID http://www.securityfocus.com/bid/94430
CONFIRM https://support.apple.com/HT207142
CONFIRM https://support.apple.com/HT207143
CONFIRM https://support.apple.com/HT207157
CONFIRM https://support.apple.com/HT207158
apple -- itunes An issue was discovered in certain Apple products. iOS before 10.1 is affected. Safari before 10.0.1 is affected. iCloud before 6.0.1 is affected. iTunes before 12.5.2 is affected. tvOS before 10.0.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7578&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7578 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7578
BID http://www.securityfocus.com/bid/93949
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207272
CONFIRM https://support.apple.com/HT207273
CONFIRM https://support.apple.com/HT207274
apple -- itunes An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. iCloud before 6.1.1 is affected. iTunes before 12.5.5 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2354&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2354 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2354
BID http://www.securityfocus.com/bid/95736
CONFIRM https://support.apple.com/HT207481
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
CONFIRM https://support.apple.com/HT207486
apple -- itunes An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. iCloud before 6.1.1 is affected. iTunes before 12.5.5 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2355&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2355 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2355
BID http://www.securityfocus.com/bid/95736
CONFIRM https://support.apple.com/HT207481
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
CONFIRM https://support.apple.com/HT207486
apple -- itunes An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. iCloud before 6.1.1 is affected. iTunes before 12.5.5 is affected. tvOS before 10.1.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2356&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2356 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2356
BID http://www.securityfocus.com/bid/95736
CONFIRM https://support.apple.com/HT207481
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
CONFIRM https://support.apple.com/HT207486
apple -- itunes An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. iCloud before 6.1.1 is affected. iTunes before 12.5.5 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2366&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2366 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2366
BID http://www.securityfocus.com/bid/95733
CONFIRM https://support.apple.com/HT207481
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207486
apple -- logic_pro_x An issue was discovered in certain Apple products. GarageBand before 10.1.5 is affected. Logic Pro X before 10.3 is affected. The issue involves the "Projects" component, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted GarageBand project file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2372&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-2372 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2372
BID http://www.securityfocus.com/bid/95627
CONFIRM https://support.apple.com/HT207476
CONFIRM https://support.apple.com/HT207477
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involves a sandbox escape related to launchctl process spawning in the "libxpc" component. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4617&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4617 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4617
CONFIRM https://support.apple.com/HT207170
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "FontParser" component. It allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted font. 2017-02-20 5.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4660&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVE-2016-4660 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4660
BID http://www.securityfocus.com/bid/93849
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ntfs" component, which misparses disk images and allows attackers to cause a denial of service via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4661&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-4661 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4661
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "NVIDIA Graphics Drivers" component. It allows attackers to cause a denial of service (memory corruption) via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4663&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-4663 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4663
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ATS" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4667&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4667 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4667
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "CoreGraphics" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4673&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4673 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4673
BID http://www.securityfocus.com/bid/93849
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ATS" component. It allows local users to gain privileges or cause a denial of service (memory corruption and application crash) via unspecified vectors. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4674&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4674 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4674
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "AppleSMC" component. It allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4678&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-4678 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4678
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "libarchive" component, which allows remote attackers to write to arbitrary files via a crafted archive containing a symlink. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4679&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-4679 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4679
BID http://www.securityfocus.com/bid/93849
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "Core Image" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4681&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4681 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4681
BID http://www.securityfocus.com/bid/94431
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12 is affected. macOS before 10.12.1 is affected. The issue involves the "ImageIO" component. It allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted SGI file. 2017-02-20 5.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4682&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVE-2016-4682 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4682
BID http://www.securityfocus.com/bid/93852
CONFIRM https://support.apple.com/HT207170
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.1 is affected. The issue involves the "ImageIO" component. It allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted SGI file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4683&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4683 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4683
BID http://www.securityfocus.com/bid/94431
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "FontParser" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted font. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4688&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4688 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4688
BID http://www.securityfocus.com/bid/94572
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
CONFIRM https://support.apple.com/HT207487
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. The issue involves the "IDS - Connectivity" component, which allows man-in-the-middle attackers to spoof calls via a "switch caller" notification. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4721&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-4721 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4721
BID http://www.securityfocus.com/bid/94429
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. The issue involves the "FaceTime" component, which allows remote attackers to trigger memory corruption and obtain audio data from a call that appeared to have ended. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7577&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7577 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7577
BID http://www.securityfocus.com/bid/94429
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. The issue involves the "CFNetwork Proxies" component, which allows man-in-the-middle attackers to spoof a proxy password authentication requirement and obtain sensitive information. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7579&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7579 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7579
BID http://www.securityfocus.com/bid/93856
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involves the "Mail" component, which allows remote web servers to cause a denial of service via a crafted URL. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7580&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7580 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7580
BID http://www.securityfocus.com/bid/94434
CONFIRM https://support.apple.com/HT207170
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. tvOS before 10.0.1 is affected. watchOS before 3.1 is affected. The issue involves the "AppleMobileFileIntegrity" component, which allows remote attackers to spoof signed code by using a matching team ID. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7584&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7584 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7584
BID http://www.securityfocus.com/bid/94571
CONFIRM https://support.apple.com/HT207269
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "CoreStorage" component. It allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. 2017-02-20 4.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7603&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-7603 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7603
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "CoreCapture" component. It allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. 2017-02-20 4.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7604&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-7604 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7604
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Bluetooth" component. It allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7605&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7605 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7605
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "AppleGraphicsPowerManagement" component. It allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. 2017-02-20 4.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7609&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-7609 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7609
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Foundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .gcx file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7618&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7618 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7618
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Grapher" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .gcx file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7622&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7622 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7622
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. The issue involves the "CoreMedia External Displays" component. It allows local users to gain privileges or cause a denial of service (type confusion) via unspecified vectors. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7655&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7655 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7655
BID http://www.securityfocus.com/bid/94906
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. The issue involves the "CoreText" component. It allows remote attackers to cause a denial of service via a crafted string. 2017-02-20 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7667&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-7667 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7667
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "xar" component, which allows remote attackers to execute arbitrary code via a crafted archive that triggers use of uninitialized memory locations. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7742&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7742 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7742
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.3 is affected. The issue involves the "IOAudioFamily" component. It allows attackers to obtain sensitive kernel memory-layout information via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2357&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-2357 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2357
BID http://www.securityfocus.com/bid/95723
CONFIRM https://support.apple.com/HT207483
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.3 is affected. The issue involves the "Help Viewer" component, which allows XSS attacks via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2361&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-2361 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2361
BID http://www.securityfocus.com/bid/95723
MISC https://bugs.chromium.org/p/project-zero/issues/detail?id=1040
CONFIRM https://support.apple.com/HT207483
apple -- safari An issue was discovered in certain Apple products. iOS before 10.1 is affected. Safari before 10.0.1 is affected. tvOS before 10.0.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4666&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4666 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4666
BID http://www.securityfocus.com/bid/93851
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207272
apple -- safari An issue was discovered in certain Apple products. iOS before 10.1 is affected. Safari before 10.0.1 is affected. tvOS before 10.0.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4677&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4677 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4677
BID http://www.securityfocus.com/bid/93853
CONFIRM https://support.apple.com/HT207270
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207272
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4692&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4692 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4692
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information from process memory or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 5.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4743&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVE-2016-4743 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4743
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7586&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7586 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7586
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7587&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7587 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7587
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component, which allows remote attackers to obtain sensitive information via crafted JavaScript prompts on a web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7592&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7592 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7592
BID http://www.securityfocus.com/bid/94909
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information from process memory via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7598&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7598 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7598
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site that uses HTTP redirects. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7599&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7599 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7599
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7610&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7610 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7610
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7611&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7611 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7611
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a blob URL on a web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7623&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7623 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7623
BID http://www.securityfocus.com/bid/94913
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7632&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7632 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7632
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7635&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7635 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7635
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7639&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7639 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7639
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7640&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7640 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7640
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7641&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7641 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7641
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7642&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7642 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7642
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7645&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7645 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7645
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7646&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7646 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7646
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7648&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7648 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7648
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7649&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7649 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7649
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7652&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7652 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7652
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7654&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7654 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7654
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7656&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7656 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7656
BID http://www.securityfocus.com/bid/94907
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
apple -- safari An issue was discovered in certain Apple products. Safari before 10.0.3 is affected. The issue involves the "Safari" component, which allows remote attackers to spoof the address bar via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2359&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-2359 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2359
BID http://www.securityfocus.com/bid/95724
CONFIRM https://support.apple.com/HT207484
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2364&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-2364 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2364
BID http://www.securityfocus.com/bid/95725
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
apple -- transporter An issue was discovered in certain Apple products. Transporter before 1.9.2 is affected. The issue involves the "iTMSTransporter" component, which allows attackers to obtain sensitive information via a crafted EPUB. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7666&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7666 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7666
BID http://www.securityfocus.com/bid/94912
CONFIRM https://support.apple.com/HT207432
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "FontParser" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4691&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-4691 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4691
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Security" component, which makes it easier for attackers to bypass cryptographic protection mechanisms by leveraging use of the 3DES cipher. 2017-02-20 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4693&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-4693 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4693
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "CoreMedia Playback" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted MP4 file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7588&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7588 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7588
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. watchOS before 3.1.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7589&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7589 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7589
BID http://www.securityfocus.com/bid/94908
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207424
CONFIRM https://support.apple.com/HT207427
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "ICU" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7594&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7594 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7594
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "CoreText" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7595&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7595 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7595
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component, which allows attackers to obtain sensitive information from kernel memory via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7607&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7607 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7607
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Kernel" component, which allows local users to cause a denial of service via unspecified vectors. 2017-02-20 4.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7615&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVE-2016-7615 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7615
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. tvOS before 10.1 is affected. watchOS before 3.1.1 is affected. The issue involves the "Profiles" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted certificate profile. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7626&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7626 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7626
BID http://www.securityfocus.com/bid/94852
CONFIRM https://lists.apple.com/archives/security-announce/2016/Dec/msg00001.html
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207425
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "CoreGraphics" component. It allows attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted font. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7627&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7627 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7627
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Security" component, which allows man-in-the-middle attackers to cause a denial of service (application crash) via vectors related to OCSP responder URLs. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7636&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7636 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7636
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "ImageIO" component. It allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) via a crafted web site. 2017-02-20 5.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7643&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:P) CVE-2016-7643 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7643
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. watchOS before 3.1.1 is affected. The issue involves the "Accounts" component, which allows local users to bypass intended authorization restrictions by leveraging the mishandling of an app uninstall. 2017-02-20 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7651&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-7651 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7651
BID http://www.securityfocus.com/bid/94851
CONFIRM https://lists.apple.com/archives/security-announce/2016/Dec/msg00001.html
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOKit" component. It allows attackers to obtain sensitive information from kernel memory via a crafted app. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7657&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-7657 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7657
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Audio" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7658&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7658 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7658
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Audio" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file. 2017-02-20 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7659&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-7659 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7659
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "Security" component, which allows remote attackers to spoof certificates via unspecified vectors. 2017-02-20 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7662&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-7662 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7662
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. Safari before 10.0.3 is affected. tvOS before 10.1.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "WebKit" component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site. 2017-02-20 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2363&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-2363 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2363
BID http://www.securityfocus.com/bid/95728
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207484
CONFIRM https://support.apple.com/HT207485
CONFIRM https://support.apple.com/HT207487
cisco -- identity_services_engine_software A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection. More Information: CSCvb15627. Known Affected Releases: 1.4(0.908). 2017-02-21 6.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3835&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-3835 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3835
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ise
cisco -- intrusion_prevention_system_device_manager A vulnerability in the web-based management interface of the Cisco Intrusion Prevention System Device Manager (IDM) could allow an unauthenticated, remote attacker to view sensitive information stored in certain HTML comments. More Information: CSCuh91455. Known Affected Releases: 7.2(1)V7. 2017-02-21 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3842&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-3842 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3842
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-idm
cisco -- meeting_server A vulnerability in an internal API of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected appliance. More Information: CSCvc89678. Known Affected Releases: 2.1. Known Fixed Releases: 2.1.2. 2017-02-21 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3830&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2017-3830 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3830
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cms
cisco -- meeting_server An HTTP Packet Processing vulnerability in the Web Bridge interface of the Cisco Meeting Server (CMS), formerly Acano Conferencing Server, could allow an authenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. In addition, the attacker could potentially cause the application to crash unexpectedly, resulting in a denial of service (DoS) condition. The attacker would need to be authenticated and have a valid session with the Web Bridge. Affected Products: This vulnerability affects Cisco Meeting Server software releases prior to 2.1.2. This product was previously known as Acano Conferencing Server. More Information: CSCvc89551. Known Affected Releases: 2.0 2.0.7 2.1. Known Fixed Releases: 2.1.2. 2017-02-21 5.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3837&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:P) CVE-2017-3837 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3837
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cms1
cisco -- prime_collaboration_assurance A vulnerability in the file download functions for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to download system files that should be restricted. More Information: CSCvc99446. Known Affected Releases: 11.5(0). 2017-02-21 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3843&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2017-3843 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3843
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp1
cisco -- prime_collaboration_assurance A vulnerability in exporting functions of the user interface for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to view file directory listings and download files. Affected Products: Cisco Prime Collaboration Assurance software versions 11.0, 11.1, and 11.5 are vulnerable. Cisco Prime Collaboration Assurance software versions prior to 11.0 are not vulnerable. More Information: CSCvc86238. Known Affected Releases: 11.5(0). 2017-02-21 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3844&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2017-3844 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3844
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp2
cisco -- prime_collaboration_assurance A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. Affected Products: Cisco Prime Collaboration Assurance software versions 11.0, 11.1, and 11.5 are vulnerable. Cisco Prime Collaboration Assurance software versions prior to 11.0 are not vulnerable. More Information: CSCvc77783. Known Affected Releases: 11.5(0). 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3845&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-3845 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3845
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-pcp3
cisco -- secure_access_control_system A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system. More Information: CSCvc04838. Known Affected Releases: 5.8(2.5). 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3838&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-3838 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3838
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs
cisco -- secure_access_control_system An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system. More Information: CSCvc04845. Known Affected Releases: 5.8(2.5). 2017-02-21 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3839&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2017-3839 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3839
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1
cisco -- secure_access_control_system A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect Vulnerability. More Information: CSCvc04849. Known Affected Releases: 5.8(2.5). 2017-02-21 5.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3840&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) CVE-2017-3840 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3840
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs2
cisco -- secure_access_control_system A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information. More Information: CSCvc04854. Known Affected Releases: 5.8(2.5). 2017-02-21 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3841&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-3841 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3841
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3
cisco -- unified_communications_manager A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks. More Information: CSCvc49348. Known Affected Releases: 10.5(2.14076.1). Known Fixed Releases: 12.0(0.98000.209) 12.0(0.98000.478) 12.0(0.98000.609). 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3821&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-3821 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3821
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm
cisco -- unified_communications_manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvb98777. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 11.0(1.23063.1) 11.5(1.12029.1) 11.5(1.12900.11) 11.5(1.12900.21) 11.6(1.10000.4) 12.0(0.98000.156) 12.0(0.98000.178) 12.0(0.98000.369) 12.0(0.98000.470) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.6). 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3828&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-3828 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3828
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm1
cisco -- unified_communications_manager A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. More Information: CSCvc30999. Known Affected Releases: 12.0(0.98000.280). Known Fixed Releases: 11.0(1.23900.3) 12.0(0.98000.180) 12.0(0.98000.422) 12.0(0.98000.541) 12.0(0.98000.6). 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3829&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-3829 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3829
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm2
cisco -- unified_communications_manager A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software. More Information: CSCvb95951. Known Affected Releases: 12.0(0.99999.2). Known Fixed Releases: 11.0(1.23064.1) 11.5(1.12031.1) 11.5(1.12900.21) 11.5(1.12900.7) 11.5(1.12900.8) 11.6(1.10000.4) 12.0(0.98000.155) 12.0(0.98000.178) 12.0(0.98000.366) 12.0(0.98000.367) 12.0(0.98000.468) 12.0(0.98000.469) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.6). 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3833&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-3833 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3833
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-ucm
cisco -- unified_communications_manager A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data. More Information: CSCvb61689. Known Affected Releases: 11.5(1.11007.2). Known Fixed Releases: 12.0(0.98000.162) 12.0(0.98000.178) 12.0(0.98000.383) 12.0(0.98000.488) 12.0(0.98000.536) 12.0(0.98000.6) 12.0(0.98500.6). 2017-02-21 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3836&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2017-3836 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3836
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-cucm3
cmsmadesimple -- form_builder CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml. 2017-02-21 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6071&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-6071 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6071
MISC http://dev.cmsmadesimple.org/project/files/69
MISC https://daylight-it.com/security-advisory-dlcs0001.html
cmsmadesimple -- form_builder CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin. 2017-02-21 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6072&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-6072 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6072
MISC http://dev.cmsmadesimple.org/project/files/69
MISC https://daylight-it.com/security-advisory-dlcs0001.html
digisol -- dg-hr1400_firmware Multiple cross-site request forgery (CSRF) vulnerabilities in the access portal on the DIGISOL DG-HR1400 Wireless Router with firmware 1.00.02 allow remote attackers to hijack the authentication of administrators for requests that (1) change the SSID, (2) change the Wi-Fi password, or (3) possibly have unspecified other impact via crafted requests to form2WlanBasicSetup.cgi. 2017-02-21 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6127&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6127 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6127
FULLDISC http://seclists.org/fulldisclosure/2017/Feb/55
MISC https://drive.google.com/file/d/0B6715xUqH18MeV9GOVE0ZmFrQUU/view
dlink -- websmart_dgs-1510_series_firmware D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vectors. 2017-02-23 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6206&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-6206 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6206
CONFIRM http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10070
faststone -- maxview FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to cause a denial of service (application crash) via a malformed BMP image with a crafted biSize field in the BITMAPINFOHEADER section. 2017-02-21 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6078&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-6078 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6078
MISC https://github.com/ilsani/rd/tree/master/security-advisories/faststone/maxview-cve-2017-6078
fedoraproject -- fedora The route manager in FlightGear before 2016.4.4 allows remote attackers to write to arbitrary files via a crafted Nasal script. 2017-02-22 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9956&vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-9956 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9956
DEBIAN http://www.debian.org/security/2016/dsa-3742
MLIST http://www.openwall.com/lists/oss-security/2016/12/14/11
MLIST http://www.openwall.com/lists/oss-security/2016/12/15/10
MLIST http://www.openwall.com/lists/oss-security/2016/12/16/5
BID http://www.securityfocus.com/bid/94945
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZKAN7V6UOHSRFWO567XMN4O6WXTSL32/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DB3B5XBB2NL2O2U4WNYGH7ZL45Q4UHGG/
CONFIRM https://sourceforge.net/p/flightgear/flightgear/ci/280cd523686fbdb175d50417266d2487a8ce67d2/
CONFIRM https://sourceforge.net/projects/flightgear/files/release-2016.4/
gomlab -- gom_player GOM Player 2.3.10.5266 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted fpx file. 2017-02-21 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5881&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-5881 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5881
EXPLOIT-DB https://www.exploit-db.com/exploits/41367/
google -- chrome Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Mac insufficiently cleared video memory, which allowed a remote attacker to possibly extract image fragments on systems with GeForce 8600M graphics chips via a crafted HTML page. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5017&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2017-5017 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5017
BID http://www.securityfocus.com/bid/95792
CONFIRM https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
CONFIRM https://crbug.com/676975
google -- chrome Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5018&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-5018 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5018
BID http://www.securityfocus.com/bid/95792
CONFIRM https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
CONFIRM https://crbug.com/668665
google -- chrome A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5021&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-5021 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5021
BID http://www.securityfocus.com/bid/95792
CONFIRM https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
CONFIRM https://crbug.com/663726
google -- chrome FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5024&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-5024 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5024
BID http://www.securityfocus.com/bid/95792
CONFIRM https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html
CONFIRM https://crbug.com/643951
html5lib -- html5lib The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values. 2017-02-22 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9909&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-9909 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9909
MLIST http://www.openwall.com/lists/oss-security/2016/12/06/5
MLIST http://www.openwall.com/lists/oss-security/2016/12/08/8
BID http://www.securityfocus.com/bid/95132
CONFIRM https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7
CONFIRM https://github.com/html5lib/html5lib-python/issues/11
CONFIRM https://github.com/html5lib/html5lib-python/issues/12
CONFIRM https://html5lib.readthedocs.io/en/latest/changes.html#b9
html5lib -- html5lib The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909. 2017-02-22 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9910&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-9910 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9910
MLIST http://www.openwall.com/lists/oss-security/2016/12/06/5
MLIST http://www.openwall.com/lists/oss-security/2016/12/08/8
BID http://www.securityfocus.com/bid/95132
CONFIRM https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7
CONFIRM https://github.com/html5lib/html5lib-python/issues/11
CONFIRM https://github.com/html5lib/html5lib-python/issues/12
CONFIRM https://html5lib.readthedocs.io/en/latest/changes.html#b9
ibm -- inotes IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1997010. 2017-02-23 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5883&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-5883 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5883
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21997010
ibm -- websphere_mq IBM WebSphere MQ 8.0 could allow an authenticated user to crash the MQ channel due to improper data conversion handling. IBM Reference #: 1998661. 2017-02-22 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-3013&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) CVE-2016-3013 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3013
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998661
ibm -- websphere_mq IBM WebSphere MQ 8.0, under nonstandard configurations, sends password data in cleartext over the network that could be intercepted using main in the middle techniques. IBM Reference #: 1998660. 2017-02-22 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-3052&vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-3052 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3052
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998660
ibm -- websphere_mq IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager and queue, to deny service to other channels running under the same process. IBM Reference #: 1998649. 2017-02-22 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-8915&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) CVE-2016-8915 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8915
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998649
ibm -- websphere_mq IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager to bring down MQ channels using specially crafted HTTP requests. IBM Reference #: 1998648. 2017-02-22 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-8986&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) CVE-2016-8986 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8986
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998648
inverse-inc -- sogo Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2014-9905&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2014-9905 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9905
MLIST http://www.openwall.com/lists/oss-security/2016/07/09/3
CONFIRM https://github.com/inverse-inc/sogo/commit/1a7fc2a0e90a19dfb1fce292ae5ff53aa513ade9
CONFIRM https://github.com/inverse-inc/sogo/commit/3a5e44e7eb8b390b67a8f8a83030b49606956501
CONFIRM https://github.com/inverse-inc/sogo/commit/80a09407652ec04e8c9fb6cb48e1029e69a15765
CONFIRM https://github.com/inverse-inc/sogo/commit/c94595ea7f0f843c2d7abf25df039b2bbe707625
CONFIRM https://sogo.nu/bugs/view.php?id=2598
inverse-inc -- sogo Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. 2017-02-17 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6189&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2016-6189 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6189
MLIST http://www.openwall.com/lists/oss-security/2016/07/09/3
CONFIRM https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
CONFIRM https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
CONFIRM https://sogo.nu/bugs/view.php?id=3695
inverse-inc -- sogo SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the "View the Date & Time" restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users. 2017-02-17 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6190&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2016-6190 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6190
MLIST http://www.openwall.com/lists/oss-security/2016/07/09/3
CONFIRM https://github.com/inverse-inc/sogo/commit/717f45f640a2866b76a8984139391fae64339225
CONFIRM https://github.com/inverse-inc/sogo/commit/875a4aca3218340fd4d3141950c82c2ff45b343d
CONFIRM https://sogo.nu/bugs/view.php?id=3696
inverse-inc -- sogo Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6191&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-6191 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6191
MLIST http://www.openwall.com/lists/oss-security/2016/07/09/3
CONFIRM https://github.com/inverse-inc/sogo/commit/64ce3c9c22fd9a28caabf11e76216cd53d0245aa
CONFIRM https://sogo.nu/bugs/view.php?id=3718
libdwarf_project -- libdwarf The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via an object file with empty bss-like sections. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5028&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5028 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5028
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The create_fullest_file_path function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted dwarf file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5029&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5029 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5029
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The _dwarf_calculate_info_section_end_ptr function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5030&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5030 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5030
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5031&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5031 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5031
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The dwarf_get_xu_hash_entry function in libdwarf before 20160923 allows remote attackers to cause a denial of service (crash) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5032&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5032 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5032
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The print_exprloc_content function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5033&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5033 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5033
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file, related to relocation records. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5034&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5034 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5034
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The _dwarf_read_line_table_header function in dwarf_line_table_reader.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5035&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5035 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5035
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The dump_block function in print_sections.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted frame data. 2017-02-17 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5036&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-5036 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5036
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The _dwarf_load_section function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5037&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5037 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5037
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The dwarf_get_macro_startend_file function in dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted string offset for .debug_str. 2017-02-17 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5038&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-5038 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5038
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The get_attr_value function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted object with all-bits on. 2017-02-17 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5039&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-5039 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5039
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a large length value in a compilation unit header. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5040&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-5040 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5040
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The dwarf_get_aranges_list function in libdwarf before 20160923 allows remote attackers to cause a denial of service (infinite loop and crash) via a crafted DWARF section. 2017-02-17 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5042&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-5042 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5042
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1332145
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The dwarf_dealloc function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted DWARF section. 2017-02-17 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5043&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-5043 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5043
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The WRITE_UNALIGNED function in dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted DWARF section. 2017-02-17 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5044&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-5044 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5044
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://www.prevanders.net/dwarfbug.html
libdwarf_project -- libdwarf The read_line_table_program function in dwarf_line_table_reader_common.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted input. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7510&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7510 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7510
MISC https://bugzilla.redhat.com/show_bug.cgi?id=1377015
CONFIRM https://sourceforge.net/p/libdwarf/bugs/4/
libdwarf_project -- libdwarf Integer overflow in the dwarf_die_deliv.c in libdwarf 20160613 allows remote attackers to cause a denial of service (crash) via a crafted file. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7511&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2016-7511 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7511
CONFIRM https://sourceforge.net/p/libdwarf/bugs/3/
CONFIRM https://www.prevanders.net/dwarfbug.html#DW201609-002
linux -- linux_kernel The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 does not restrict the address calculated by a certain rounding operation, which allows local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context. 2017-02-24 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5669&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-5669 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5669
MISC https://bugzilla.kernel.org/show_bug.cgi?id=192931
CONFIRM https://github.com/torvalds/linux/commit/e1d35d4dc7f089e6c9c080d556feedf9c706f0c7
linux -- linux_kernel The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag. 2017-02-23 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6214&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2017-6214 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6214
CONFIRM http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ccf7abb93af09ad0868ae9033d1ca8108bdaec82
CONFIRM http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.11
CONFIRM https://github.com/torvalds/linux/commit/ccf7abb93af09ad0868ae9033d1ca8108bdaec82
mail-masta -- mail-masta_plugin A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list. 2017-02-21 6.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6096&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-6096 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6096
MISC https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
mail-masta -- mail-masta_plugin A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id. 2017-02-21 6.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6097&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-6097 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6097
MISC https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
mail-masta -- mail-masta_plugin A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id. 2017-02-21 6.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6098&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-6098 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6098
MISC https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
mantisbt -- mantisbt Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter. 2017-02-17 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-5364&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2016-5364 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5364
MLIST http://www.openwall.com/lists/oss-security/2016/06/11/5
CONFIRM https://github.com/mantisbt/mantisbt/commit/11ab3d6c82a1d3a89b1024f77349fb60a83743c5
CONFIRM https://github.com/mantisbt/mantisbt/commit/5068df2dcf79c34741c746c9b27e0083f2a374da
CONFIRM https://mantisbt.org/bugs/view.php?id=20956
metalgenix -- genixcms SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter. 2017-02-17 6.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6065&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-6065 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6065
MISC https://github.com/semplon/GeniXCMS/issues/71
shadow_project -- shadow Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. 2017-02-17 4.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6252&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:P) CVE-2016-6252 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6252
MLIST http://www.openwall.com/lists/oss-security/2016/07/19/6
MLIST http://www.openwall.com/lists/oss-security/2016/07/19/7
MLIST http://www.openwall.com/lists/oss-security/2016/07/20/2
MLIST http://www.openwall.com/lists/oss-security/2016/07/25/7
BID http://www.securityfocus.com/bid/92055
CONFIRM https://bugzilla.suse.com/show_bug.cgi?id=979282
CONFIRM https://github.com/shadow-maint/shadow/issues/27
tcpdf_project -- tcpdf tcpdf before 6.2.0 uploads files from the server generating PDF-files to an external FTP. 2017-02-23 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6100&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-6100 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6100
MLIST http://www.openwall.com/lists/oss-security/2017/02/19/1
CONFIRM https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814030
CONFIRM https://sourceforge.net/p/tcpdf/bugs/1005/
tnef_project -- tnef An issue was discovered in tnef before 1.4.13. Two OOB Writes have been identified in src/mapi_attr.c:mapi_attr_read(). These might lead to invalid read and write operations, controlled by an attacker. 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6307&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6307 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6307
MISC https://github.com/verdammelt/tnef/blob/master/ChangeLog
MISC https://github.com/verdammelt/tnef/commit/1a17af1ed0c791aec44dbdc9eab91218cc1e335a
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/
tnef_project -- tnef An issue was discovered in tnef before 1.4.13. Several Integer Overflows, which can lead to Heap Overflows, have been identified in the functions that wrap memory allocation. 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6308&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6308 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6308
MISC https://github.com/verdammelt/tnef/blob/master/ChangeLog
MISC https://github.com/verdammelt/tnef/commit/c5044689e50039635e7700fe2472fd632ac77176
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/
tnef_project -- tnef An issue was discovered in tnef before 1.4.13. Two type confusions have been identified in the parse_file() function. These might lead to invalid read and write operations, controlled by an attacker. 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6309&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6309 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6309
MISC https://github.com/verdammelt/tnef/blob/master/ChangeLog
MISC https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/
tnef_project -- tnef An issue was discovered in tnef before 1.4.13. Four type confusions have been identified in the file_add_mapi_attrs() function. These might lead to invalid read and write operations, controlled by an attacker. 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6310&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6310 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6310
MISC https://github.com/verdammelt/tnef/blob/master/ChangeLog
MISC https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/
trendmicro -- interscan_web_security_virtual_appliance Sensitive Information Disclosure in com.trend.iwss.gui.servlet.ConfigBackup in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to backup the system configuration and download it onto their local machine. This backup file contains sensitive information like passwd/shadow files, RSA certificates, Private Keys and Default Passphrase, etc. This was resolved in Version 6.5 CP 1737. 2017-02-21 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9314&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2016-9314 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9314
CONFIRM https://success.trendmicro.com/solution/1116672
trendmicro -- interscan_web_security_virtual_appliance Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to change Master Admin's password and/or add new admin accounts. This was resolved in Version 6.5 CP 1737. 2017-02-21 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9315&vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) CVE-2016-9315 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9315
CONFIRM https://success.trendmicro.com/solution/1116672
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "1 of 9. Null Pointer Deref / calloc return value not checked." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6298&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6298 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6298
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "2 of 9. Infinite Loop / DoS in the TNEFFillMapi function in lib/ytnef.c." 2017-02-23 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6299&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-6299 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6299
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "3 of 9. Buffer Overflow in version field in lib/tnef-types.h." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6300&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6300 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6300
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "4 of 9. Out of Bounds Reads." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6301&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6301 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6301
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "5 of 9. Integer Overflow." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6302&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6302 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6302
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "6 of 9. Invalid Write and Integer Overflow." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6303&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6303 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6303
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "7 of 9. Out of Bounds read." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6304&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6304 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6304
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "8 of 9. Out of Bounds read and write." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6305&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6305 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6305
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
ytnef_project -- ytnef An issue was discovered in ytnef before 1.9.1. This is related to a patch described as "9 of 9. Directory Traversal using the filename; SanitizeFilename function in settings.c." 2017-02-23 6.8 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6306&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2017-6306 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6306
MISC http://www.openwall.com/lists/oss-security/2017/02/15/4
MISC https://github.com/Yeraze/ytnef/pull/27
MISC https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/
Back to top https://www.us-cert.gov#top
Low Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
apple -- icloud An issue was discovered in certain Apple products. iCloud before 6.1 is affected. The issue involves the "Windows Security" component. It allows local users to obtain sensitive information from iCloud desktop-client process memory via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7614&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7614 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7614
BID http://www.securityfocus.com/bid/94911
CONFIRM https://support.apple.com/HT207424
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the "Contacts" component, which does not prevent an app's Address Book access after access revocation. 2017-02-20 3.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4686&vector=(AV:L/AC:L/Au:N/C:P/I:P/A:N) CVE-2016-4686 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4686
BID http://www.securityfocus.com/bid/93848
CONFIRM https://support.apple.com/HT207271
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "SpringBoard" component, which allows physically proximate attackers to maintain the unlocked state via vectors related to Handoff with Siri. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7597&vector=(AV:L/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-7597 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7597
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Accessibility" component, which accepts spoken passwords without considering that they are locally audible. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7634&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7634 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7634
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Find My iPhone" component, which allows physically proximate attackers to disable this component by bypassing authentication. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7638&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-7638 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7638
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Media Player" component, which allows physically proximate attackers to obtain sensitive photo and contact information by leveraging lockscreen access. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7653&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7653 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7653
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Accessibility" component. which allows physically proximate attackers to obtain sensitive photo and contact information by leveraging the availability of excessive options during lockscreen access. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7664&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7664 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7664
BID http://www.securityfocus.com/bid/94850
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10 is affected. The issue involves the "Springboard" component, which allows physically proximate attackers to obtain sensitive information by viewing application snapshots in the Task Switcher. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7759&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7759 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7759
CONFIRM https://support.apple.com/HT207143
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Clipboard" component, which allows physically proximate attackers to obtain sensitive information in the lockscreen state by viewing clipboard contents. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7765&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7765 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7765
CONFIRM https://support.apple.com/HT207422
apple -- iphone_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. The issue involves the "WiFi" component, which allows physically proximate attackers to bypass the activation-lock protection mechanism and view the home screen via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2351&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-2351 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2351
BID http://www.securityfocus.com/bid/95722
CONFIRM https://support.apple.com/HT207482
apple -- mac_os_x An issue was discovered in certain Apple products. iOS before 10.1 is affected. macOS before 10.12.1 is affected. The issue involves the "Security" component. It allows local users to discover lengths of arbitrary passwords by reading a log. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-4670&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-4670 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4670
BID http://www.securityfocus.com/bid/94433
CONFIRM https://support.apple.com/HT207271
CONFIRM https://support.apple.com/HT207275
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "OpenPAM" component, which allows local users to obtain sensitive information by leveraging mishandling of failed PAM authentication by a sandboxed app. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7600&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7600 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7600
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOFireWireFamily" component, which allows local users to obtain sensitive information from kernel memory via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7608&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7608 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7608
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOSurface" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7620&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7620 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7620
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOAcceleratorFamily" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7624&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7624 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7624
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOKit" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7625&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7625 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7625
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Assets" component, which allows local users to bypass intended permission restrictions and change a downloaded mobile asset via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7628&vector=(AV:L/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-7628 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7628
BID http://www.securityfocus.com/bid/94903
CONFIRM https://support.apple.com/HT207423
apple -- mac_os_x An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "WiFi" component, which allows local users to obtain sensitive network-configuration information by leveraging global storage. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7761&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7761 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7761
CONFIRM https://support.apple.com/HT207423
apple -- safari An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. The issue involves the "Safari Reader" component, which allows remote attackers to conduct UXSS attacks via a crafted web site. 2017-02-20 2.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7650&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) CVE-2016-7650 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7650
BID http://www.securityfocus.com/bid/94915
CONFIRM https://support.apple.com/HT207421
CONFIRM https://support.apple.com/HT207422
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "libarchive" component, which allows local users to write to arbitrary files via vectors related to symlinks. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7619&vector=(AV:L/AC:L/Au:N/C:N/I:P/A:N) CVE-2016-7619 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7619
BID http://www.securityfocus.com/bid/94905
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the "IOKit" component. It allows local users to obtain sensitive kernel memory-layout information via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7714&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-7714 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7714
CONFIRM https://support.apple.com/HT207422
CONFIRM https://support.apple.com/HT207423
CONFIRM https://support.apple.com/HT207487
apple -- watch_os An issue was discovered in certain Apple products. iOS before 10.2.1 is affected. watchOS before 3.1.3 is affected. The issue involves the "Unlock with iPhone" component, which allows attackers to bypass the wrist-presence protection mechanism and unlock a Watch device via unspecified vectors. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-2352&vector=(AV:L/AC:L/Au:N/C:N/I:P/A:N) CVE-2017-2352 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2352
BID http://www.securityfocus.com/bid/95730
CONFIRM https://support.apple.com/HT207482
CONFIRM https://support.apple.com/HT207487
cisco -- firepower_management_center A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface. More Information: CSCvc72741. Known Affected Releases: 6.2.1. 2017-02-21 3.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3847&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2017-3847 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3847
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-fpmc
f5 -- big-ip_application_acceleration_manager F5 BIG-IP 12.0.0 and 11.5.0 - 11.6.1 REST requests which timeout during user account authentication may log sensitive attributes such as passwords in plaintext to /var/log/restjavad.0.log. It may allow local users to obtain sensitive information by reading these files. 2017-02-20 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6249&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-6249 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6249
CONFIRM https://support.f5.com/csp/article/K12685114
ibm -- rational_requirements_composer IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1995515. 2017-02-23 3.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-6055&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2016-6055 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6055
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21995515
intersect_alliance -- snare_epilog Cross-site scripting (XSS) vulnerability in InterSect Alliance SNARE Epilog for UNIX version 1.5 allows remote authenticated users to inject arbitrary web script or HTML via the str_log_name parameter in a "Web Admin Portal > Log Configuration > Add" action. 2017-02-17 3.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-5998&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2017-5998 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5998
MISC http://arthrocyber.com/research
mantisbt -- mantisbt MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. 2017-02-17 2.6 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-7111&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) CVE-2016-7111 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7111
MLIST http://www.openwall.com/lists/oss-security/2016/08/28/1
MLIST http://www.openwall.com/lists/oss-security/2016/08/29/2
CONFIRM https://github.com/mantisbt/mantisbt/commit/b3511d2f
CONFIRM https://mantisbt.org/bugs/view.php?id=21263
munin-monitoring -- munin Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user. 2017-02-22 1.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6188&vector=(AV:L/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-6188 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6188
CONFIRM https://bugs.debian.org/855705
CONFIRM https://github.com/munin-monitoring/munin/issues/721
trendmicro -- interscan_web_security_virtual_appliance Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737. 2017-02-21 3.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9316&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2016-9316 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9316
CONFIRM https://success.trendmicro.com/solution/1116672
vce_vision -- intelligent_operations The System Library in VCE Vision Intelligent Operations before 2.6.5 does not properly implement cryptography, which makes it easier for local users to discover credentials by leveraging administrative access. 2017-02-21 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2015-4056&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2015-4056 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4056
BUGTRAQ http://seclists.org/bugtraq/2015/Jun/91
wolfssl -- wolfssl In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has access to view cache on a machine. 2017-02-23 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-6076&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-6076 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6076
CONFIRM https://github.com/wolfSSL/wolfssl/releases/tag/v3.10.2-stable
xen -- xen Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation. 2017-02-22 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9377&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-9377 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9377
BID http://www.securityfocus.com/bid/94475
CONFIRM http://xenbits.xen.org/xsa/advisory-196.html
xen -- xen Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery. 2017-02-22 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9378&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2016-9378 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9378
BID http://www.securityfocus.com/bid/94475
CONFIRM http://xenbits.xen.org/xsa/advisory-196.html
xen -- xen Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table. 2017-02-22 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-9384&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2016-9384 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9384
BID http://www.securityfocus.com/bid/94468
CONFIRM http://xenbits.xen.org/xsa/advisory-194.html
CONFIRM http://xenbits.xen.org/xsa/xsa194.patch
Back to top https://www.us-cert.gov#top
Severity Not Yet Assigned
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
apple -- mac_os_x
The installPackage function in the installerHelper subcomponent in Libmacgpg in GPG Suite before 2015.06 allows local users to execute arbitrary commands with root privileges via shell metacharacters in the xmlPath argument. 2017-02-22 not yet calculated CVE-2014-4677 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4677
MISC https://bierbaumer.net/security/cve-2014-4677/
CONFIRM https://gpgtools.org/releases/gpgsuite/2015.08/release-notes.html
bilboplanet -- bilboplanet
Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tribe_name or (2) tags parameter in a tribes page request to user/ or the (3) user_id or (4) fullname parameter to signup.php. 2017-02-23 not yet calculated CVE-2014-9916 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9916
EXPLOIT-DB http://www.exploit-db.com/exploits/34089
cisco -- asyncos_software
A vulnerability in the Multipurpose Internet Mail Extensions (MIME) scanner of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device. Affected Products: This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA and Cisco WSA, both virtual and hardware appliances, that are configured with message or content filters to scan incoming email attachments on the ESA or services scanning content of web access on the WSA. More Information: SCvb91473, CSCvc76500. Known Affected Releases: 10.0.0-203 9.9.9-894 WSA10.0.0-233. 2017-02-21 not yet calculated CVE-2017-3827 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3827
CONFIRM https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-asyncos
dell -- vce_vision_intelligent_operations
The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations before 2.6.5 sends a cleartext HTTP response upon a request for the Settings screen, which allows remote attackers to discover the admin user password by sniffing the network. 2017-02-21 not yet calculated CVE-2015-4057 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4057
BUGTRAQ http://seclists.org/bugtraq/2015/Jun/91
ghostscript -- ghostscript
Multiple use-after-free vulnerabilities in the gx_image_enum_begin function in base/gxipixel.c in Ghostscript before ecceafe3abba2714ef9b432035fe0739d9b1a283 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document. 2017-02-23 not yet calculated CVE-2017-6196 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6196
CONFIRM http://git.ghostscript.com/?p=ghostpdl.git;h=ecceafe3abba2714ef9b432035fe0739d9b1a283
CONFIRM https://bugs.ghostscript.com/show_bug.cgi?id=697596
ibm -- jazz
IBM Jazz for Service Management 1.1.2.1 and 1.1.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1998714. 2017-02-24 not yet calculated CVE-2016-9975 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9975
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998714
ibm -- rhapsody
IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997798. 2017-02-23 not yet calculated CVE-2016-8974 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8974
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21997798
ibm -- tivoli
IBM Tivoli Storage Manager Server 7.1 could allow an authenticated user with TSM administrator privileges to cause a buffer overflow using a specially crafted SQL query and execute arbitrary code on the server. IBM Reference #: 1998747. 2017-02-24 not yet calculated CVE-2016-8998 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8998
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998747
ibm -- websphere
IBM WebSphere MQ 8.0 could allow an authenticated user with authority to create a cluster object to cause a denial of service to MQ clustering. IBM Reference #: 1998647. 2017-02-24 not yet calculated CVE-2016-9009 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9009
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg21998647
justsystems -- ichitaro_office
JustSystems Ichitaro 2016 Trial contains a vulnerability that exists when trying to open a specially crafted PowerPoint file. Due to the application incorrectly handling the error case for a function's result, the application will use this result in a pointer calculation for reading file data into. Due to this, the application will read data from the file into an invalid address thus corrupting memory. Under the right conditions, this can lead to code execution under the context of the application. 2017-02-24 not yet calculated CVE-2017-2791 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2791
MISC http://www.talosintelligence.com/reports/TALOS-2016-0199/
justsystems -- ichitaro_office
When processing a record type of 0x3c from a Workbook stream from an Excel file (.xls), JustSystems Ichitaro Office trusts that the size is greater than zero, subtracts one from the length, and uses this result as the size for a memcpy. This results in a heap-based buffer overflow and can lead to code execution under the context of the application. 2017-02-24 not yet calculated CVE-2017-2790 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2790
MISC http://www.talosintelligence.com/reports/TALOS-2016-0197/
justsystems -- ichitaro_office
When copying filedata into a buffer, JustSystems Ichitaro Office 2016 Trial will calculate two values to determine how much data to copy from the document. If both of these values are larger than the size of the buffer, the application will choose the smaller of the two and trust it to copy data from the file. This value is larger than the buffer size, which leads to a heap-based buffer overflow. This overflow corrupts an offset in the heap used in pointer arithmetic for writing data and can lead to code execution under the context of the application. 2017-02-24 not yet calculated CVE-2017-2789 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2789
MISC http://www.talosintelligence.com/reports/TALOS-2016-0196/
libdwarf -- libdwarf
dwarf_form.c in libdwarf 20160115 allows remote attackers to cause a denial of service (crash) via a crafted elf file. 2017-02-24 not yet calculated CVE-2016-5027 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5027
MLIST http://www.openwall.com/lists/oss-security/2016/05/24/1
MLIST http://www.openwall.com/lists/oss-security/2016/05/25/1
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1330237
libiberty -- libiberty
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "ktypevec." 2017-02-24 not yet calculated CVE-2016-4488 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4488
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481
libiberty -- libiberty
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "btypevec." 2017-02-24 not yet calculated CVE-2016-4487 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4487
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481
libiberty -- libiberty
Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow. 2017-02-24 not yet calculated CVE-2016-2226 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2226
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
libiberty -- libiberty
Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the "demangling of virtual tables." 2017-02-24 not yet calculated CVE-2016-4489 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4489
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70492
libiberty -- libiberty
Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths. 2017-02-24 not yet calculated CVE-2016-4490 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4490
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70498
libiberty -- libiberty
Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary. 2017-02-24 not yet calculated CVE-2016-4492 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4492
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926
MLIST https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html
libiberty -- libiberty
The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary. 2017-02-24 not yet calculated CVE-2016-4493 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4493
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70926
MLIST https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00223.html
libiberty -- libiberty
The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having "itself as ancestor more than once." 2017-02-24 not yet calculated CVE-2016-4491 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4491
MLIST http://www.openwall.com/lists/oss-security/2016/05/05/5
CONFIRM https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70909
MLIST https://gcc.gnu.org/ml/gcc-patches/2016-05/msg00105.html
microsoft -- windows
gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3216, CVE-2016-3219, and/or CVE-2016-3220. 2017-02-20 not yet calculated CVE-2017-0038 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0038
MISC https://bugs.chromium.org/p/project-zero/issues/detail?id=992
opentext -- documentum_content_server
OpenText Documentum Content Server (formerly EMC Documentum Content Server) 7.3, when PostgreSQL Database is used and return_top_results_row_based config option is false, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML or DDL commands via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2520. 2017-02-22 not yet calculated CVE-2017-5585 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5585
MISC http://packetstormsecurity.com/files/141124/OpenText-Documentum-Content-Server-7.3-SQL-Injection.html
opentext -- documentum_d2
OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the BeanShell (bsh) and Apache Commons Collections (ACC) libraries. 2017-02-22 not yet calculated CVE-2017-5586 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5586
MISC http://packetstormsecurity.com/files/141105/OpenText-Documentum-D2-4.x-Remote-Code-Execution.html
EXPLOIT-DB https://www.exploit-db.com/exploits/41366/
paypal -- paypal
Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. 2017-02-23 not yet calculated CVE-2017-6099 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6099
MISC https://github.com/paypal/merchant-sdk-php/issues/129
pcsc-lite -- pcsc-lite
Use-after-free vulnerability in pcsc-lite before 1.8.20 allows a remote attackers to cause denial of service (crash) via a command that uses "cardsList" after the handle has been released through the SCardReleaseContext function. 2017-02-23 not yet calculated CVE-2016-10109 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10109
MLIST http://www.openwall.com/lists/oss-security/2017/01/03/3
BID http://www.securityfocus.com/bid/95263
UBUNTU http://www.ubuntu.com/usn/USN-3176-1
CONFIRM https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22
MLIST https://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20161226/000779.html
plone -- plone
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. 2017-02-24 not yet calculated CVE-2016-4043 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4043
MLIST http://www.openwall.com/lists/oss-security/2016/04/20/3
CONFIRM https://plone.org/security/hotfix/20160419/bypass-restricted-python
plone -- plone
Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors. 2017-02-24 not yet calculated CVE-2016-4041 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4041
MLIST http://www.openwall.com/lists/oss-security/2016/04/20/1
CONFIRM https://plone.org/security/hotfix/20160419/privilege-escalation-in-webdav
plone -- plone
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors. 2017-02-24 not yet calculated CVE-2016-4042 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4042
MLIST http://www.openwall.com/lists/oss-security/2016/04/20/2
CONFIRM https://plone.org/security/hotfix/20160419/unauthorized-disclosure-of-site-content
quagga -- quagga
It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent. 2017-02-22 not yet calculated CVE-2016-1245 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1245
CONFIRM http://www.gossamer-threads.com/lists/quagga/users/31952
BID http://www.securityfocus.com/bid/93775
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1386109
CONFIRM https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
CONFIRM https://www.debian.org/security/2016/dsa-3695
siemens -- simatic
Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attacker with knowledge of a valid user name, and physical or network access to the affected system, to bypass the application-level authentication. 2017-02-21 not yet calculated CVE-2017-2684 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2684
CONFIRM https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064.pdf
teeworlds -- teeworlds
The CClient::ProcessServerPacket method in engine/client/client.cpp in Teeworlds before 0.6.4 allows remote servers to write to arbitrary physical memory locations and possibly execute arbitrary code via vectors involving snap handling. 2017-02-22 not yet calculated CVE-2016-9400 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9400
MLIST http://www.openwall.com/lists/oss-security/2016/11/16/8
MLIST http://www.openwall.com/lists/oss-security/2016/11/17/8
BID http://www.securityfocus.com/bid/94381
CONFIRM https://github.com/teeworlds/teeworlds/commit/ff254722a2683867fcb3e67569ffd36226c4bc62
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C4JNSBXXPE7O32ZMFK7D7YL6EKLG7PRV/
CONFIRM https://www.teeworlds.com/?page=news&id=12086
radrare -- radrare2
The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by the r_read_le32 function. 2017-02-23 not yet calculated CVE-2017-6197 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6197
CONFIRM https://github.com/radare/radare2/commit/1ea23bd6040441a21fbcfba69dce9a01af03f989
CONFIRM https://github.com/radare/radare2/issues/6816
Back to top https://www.us-cert.gov#top
---------------------------------------------
This product is provided subject to this Notification http://www.us-cert.gov/privacy/notification and this Privacy & Use http://www.us-cert.gov/privacy/ policy.
---------------------------------------------
A copy of this publication is available at www.us-cert.gov https://www.us-cert.gov . If you need help or have questions, please send an email to info at us-cert.gov mailto:info at us-cert.gov . Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT at ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us http://www.us-cert.gov/contact-us/ | Security Publications http://www.us-cert.gov/security-publications | Alerts and Tips http://www.us-cert.gov/ncas | Related Resources http://www.us-cert.gov/related-resources
STAY CONNECTED:
[Sign up for email updates] http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new
SUBSCRIBER SERVICES:
Manage Preferences http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true | Unsubscribe https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.b03cc84c90ac58ffb6e970add416fb2d&destination=w3hwn%40arrl.net | Help https://subscriberhelp.govdelivery.com/
---------------------------------------------
This email was sent to w3hwn at arrl.net using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 [Powered by GovDelivery] http://www.govdelivery.com/portals/powered-by
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amrad.org/pipermail/tacos/attachments/20170227/7ac328ec/attachment-0001.html>
More information about the Tacos
mailing list