Security Vulnerabilities - CVEs Published In January 2017
An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a reflected Cross Site Scripting vulnerability which affects the raceMasterList.jsp page within the Patient Portal. Inserted payload is rendered within the Patient Portal and the raceMasterList.jsp page does not require authentication. The vulnerability can be used to extract sensitive information or perform attacks against the user's browser. The vulnerability affects the raceMasterList.jsp page and the following parameter: race.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-01-27
An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in Libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be triggered via attempting to decode a crafted BPG image using Libbpg.
CVSS Score
7.5
EPSS Score
0.028
Published
2017-01-26
An exploitable out-of-bounds read vulnerability exists in the client message-parsing functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause an out-of-bounds read resulting in disclosure of memory within the process, the same vulnerability can also be used to trigger a denial of service. An attacker can simply connect to the port and send the packet to trigger this vulnerability.
CVSS Score
8.2
EPSS Score
0.008
Published
2017-01-26
An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause a stack-based buffer overflow in the function as_sindex__simatch_by_iname resulting in remote code execution. An attacker can simply connect to the port to trigger this vulnerability.
CVSS Score
9.8
EPSS Score
0.189
Published
2017-01-26
An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause a stack-based buffer overflow in the function as_sindex__simatch_list_by_set_binid resulting in remote code execution. An attacker can simply connect to the port to trigger this vulnerability.
CVSS Score
9.8
EPSS Score
0.193
Published
2017-01-26
Unquoted service path vulnerability in Lenovo Edge and Lenovo Slim USB Keyboard Driver versions earlier than 1.21 allows local users to execute code with elevated privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-01-26
The BIOS in Lenovo System X M5, M6, and X6 systems allows administrators to cause a denial of service via updating a UEFI data structure.
CVSS Score
4.9
EPSS Score
0.003
Published
2017-01-26
Privilege escalation vulnerability in Lenovo Transition application used in Lenovo Yoga, Flex and Miix systems running Windows allows local users to execute code with elevated privileges.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-01-26
Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-01-26
Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations.
CVSS Score
6.0
EPSS Score
0.001
Published
2017-01-26