CVE-2016-10127
PySAML2 allows remote attackers to conduct XML external entity (XXE) attacks via a crafted SAML XML request or response.
Source: CVE-2016-10127
[월:] 2017년 03월
CVE-2016-10202
CVE-2016-10202
Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.
Source: CVE-2016-10202
CVE-2016-10193
CVE-2016-10193
The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the speak, save, bytes or bytes_wav method in lib/espeak/speech.rb.
Source: CVE-2016-10193
CVE-2016-10194
CVE-2016-10194
The festivaltts4r gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the (1) to_speech or (2) to_mp3 method in lib/festivaltts4r/festival4r.rb.
Source: CVE-2016-10194
CVE-2016-10203
CVE-2016-10203
Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.
Source: CVE-2016-10203
CVE-2016-10205
CVE-2016-10205
Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.
Source: CVE-2016-10205
CVE-2015-2877
CVE-2015-2877
** DISPUTED ** Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities.
Source: CVE-2015-2877
CVE-2016-9892
CVE-2016-9892
The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.
Source: CVE-2016-9892
CVE-2017-6102 (rockhoist_badges_plugin)
CVE-2017-6102 (rockhoist_badges_plugin)
Persistent XSS in wordpress plugin rockhoist-badges v1.2.2.
CVE-2017-6103 (anyvar_plugin)
CVE-2017-6103 (anyvar_plugin)
Persistent XSS Vulnerability in WordPress plugin AnyVar v0.1.1.
Source: CVE-2017-6103 (anyvar_plugin)