| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. |
| The Unified Messaging Service (UMS) in Cisco Unity Connection 10.5 and earlier allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCur06493. |
| Cisco IOS XE 3.5E and earlier on WS-C3850, WS-C3860, and AIR-CT5760 devices does not properly parse the "request system shell" challenge response, which allows local users to obtain Linux root access by leveraging administrative privilege, aka Bug ID CSCur09815. |
| Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow remote attackers to execute arbitrary commands by leveraging knowledge of a cross-device secret and a per-device secret, and sending a request to an unspecified HTTP handler on the local network, aka Cisco-Meraki defect ID 00301991. |
| Cisco Integrated Management Controller in Cisco Unified Computing System 2.2(2c)A and earlier allows local users to obtain shell access via a crafted map-nfs command, aka Bug ID CSCup05998. |
| The API in the Guest Server in Cisco Jabber, when the HTML5 CORS feature is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST request, aka Bug ID CSCus19789. |
| Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files. |
| The Graphics component in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; Office 2007 SP3; Office 2010 SP2; Word Viewer; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Lync 2010 Attendee; and Live Meeting 2007 Console allows attackers to execute arbitrary code via a crafted True Type font, aka "True Type Font Parsing Elevation of Privilege Vulnerability." |
| MagickCore/property.c in ImageMagick before 7.0.2-1 allows remote attackers to obtain sensitive memory information via vectors involving the q variable, which triggers an out-of-bounds read. |
| ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message. |
| The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message. |
| IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x before 7.0.0.8 IF2 allows local users to obtain sensitive database information via unspecified vectors. |
| Cisco Adaptive Security Appliance (ASA) Software, when a DHCPv6 relay is configured, allows remote attackers to cause a denial of service (device reload) via crafted DHCP packets on the local network, aka Bug ID CSCur45455. |
| The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS 12.2, 12.4, 15.0, 15.2, 15.3, and 15.4 and IOS XE 3.10.xS through 3.13.xS before 3.13.1S allows remote attackers to spoof Autonomic Networking Registration Authority (ANRA) responses, and consequently bypass intended device and node access restrictions or cause a denial of service (disrupted domain access), via crafted AN messages, aka Bug ID CSCup62191. |
| CFURL in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly validate URLs, which allows remote attackers to execute arbitrary code via a crafted web site. |
| The TCP implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly implement the Urgent (aka out-of-band data) mechanism, which allows remote attackers to cause a denial of service via crafted packets. |
| The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to discover unique identifiers by reading asset-download request data. |
| Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs data in response to a history-clearing action, which allows attackers to obtain sensitive information by reading a history file. |
| Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as used on iOS before 8.3 and other platforms, does not properly delete browsing-history data from the history.plist file, which allows attackers to obtain sensitive information by reading this file. |
| The Sandbox Profiles component in Apple iOS before 8.3 allows attackers to read the (1) telephone number or (2) e-mail address of a recent contact via a crafted app. |
