Security Vulnerabilities - CVEs Published In February 2017
Heap-based buffer overflow in the parseSWF_DEFINEFONT function in parser.c in the listswf tool in libming 0.4.7 allows remote attackers to have unspecified impact via a crafted SWF file.
CVSS Score
7.8
EPSS Score
0.004
Published
2017-02-17
Heap-based buffer overflow in the parseSWF_RGBA function in parser.c in the listswf tool in libming 0.4.7 allows remote attackers to have unspecified impact via a crafted SWF file.
CVSS Score
7.8
EPSS Score
0.004
Published
2017-02-17
The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.
CVSS Score
6.3
EPSS Score
0.004
Published
2017-02-17
regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of service (crash) via a malformed command, which triggers an invalid free.
CVSS Score
7.5
EPSS Score
0.01
Published
2017-02-17
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
CVSS Score
9.8
EPSS Score
0.04
Published
2017-02-17
Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.
CVSS Score
7.5
EPSS Score
0.012
Published
2017-02-17
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.
CVSS Score
9.8
EPSS Score
0.017
Published
2017-02-17
The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username.
CVSS Score
5.9
EPSS Score
0.164
Published
2017-02-17
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.3.x before 3.3.16, 4.0.x before 4.0.19, and 5.0.x before 5.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-02-17
The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access.
CVSS Score
7.5
EPSS Score
0.001
Published
2017-02-17