Security Vulnerabilities - CVEs Published In February 2017
Use-after-free vulnerability in pcsc-lite before 1.8.20 allows a remote attackers to cause denial of service (crash) via a command that uses "cardsList" after the handle has been released through the SCardReleaseContext function.
CVSS Score
7.5
EPSS Score
0.055
Published
2017-02-23
tcpdf before 6.2.0 uploads files from the server generating PDF-files to an external FTP.
CVSS Score
7.5
EPSS Score
0.003
Published
2017-02-23
The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.
CVSS Score
7.5
EPSS Score
0.065
Published
2017-02-23
IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1997010.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-02-23
IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1995515.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-02-23
IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM Reference #: 1997798.
CVSS Score
8.1
EPSS Score
0.004
Published
2017-02-23
D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Command Bypass attacks via unspecified vectors.
CVSS Score
9.8
EPSS Score
0.024
Published
2017-02-23
D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.464
Published
2017-02-23
It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent.
CVSS Score
9.8
EPSS Score
0.012
Published
2017-02-22
CVE-2017-6077
ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request.
Known exploited
CVSS Score
9.8
EPSS Score
0.898
Published
2017-02-22