Security Vulnerabilities - CVEs Published In March 2017
QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbitrary commands via unspecified vectors.
CVSS Score
9.8
EPSS Score
0.905
Published
2017-03-23
Nessus 6.6.2 - 6.10.3 contains a flaw related to insecure permissions that may allow a local attacker to escalate privileges when the software is running in Agent Mode. Version 6.10.4 fixes this issue.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-03-23
An unauthenticated remote attacker may be able to disrupt services on F5 BIG-IP 11.4.1 - 11.5.4 devices with maliciously crafted network traffic. This vulnerability affects virtual servers associated with TCP profiles when the BIG-IP system's tm.tcpprogressive db variable value is set to non-default setting "enabled". The default value for the tm.tcpprogressive db variable is "negotiate". An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group.
CVSS Score
5.9
EPSS Score
0.009
Published
2017-03-23
A logged-in user in NetIQ Access Governance Suite 6.0 through 6.4 could escalate privileges to administrator.
CVSS Score
8.8
EPSS Score
0.004
Published
2017-03-23
A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root).
CVSS Score
7.8
EPSS Score
0.001
Published
2017-03-23
An information leak in the NetIQ IDM ServiceNow Driver before 1.0.0.1 could expose cryptographic attributes to logged-in users.
CVSS Score
6.5
EPSS Score
0.006
Published
2017-03-23
A security vulnerability in cookie handling in the http stack implementation in NDSD in Novell eDirectory before 9.0.1 allows remote attackers to bypass intended access restrictions by leveraging predictable cookies.
CVSS Score
7.5
EPSS Score
0.003
Published
2017-03-23
External Entity Processing (XXE) vulnerability in the "risk score" application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users.
CVSS Score
5.5
EPSS Score
0.001
Published
2017-03-23
NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack.
CVSS Score
5.5
EPSS Score
0.001
Published
2017-03-23
The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users.
CVSS Score
8.8
EPSS Score
0.007
Published
2017-03-23