CVE-2017-11395CVE-2017-11395

Affected configuration(s):

cpe:/a:trendmicro:smart_protection_server:3.1
cpe:/a:trendmicro:smart_protection_server:3.2

Date published: 2017-09-22T12:29:00.197-04:00

Date last modified: 2017-09-29T18:33:58.433-04:00

CVSS Score: 6.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.coresecurity.com/advisories/trend-micro-smart-protection-os-command-injection

Summary: Command injection vulnerability in Trend Micro Smart Protection Server (Standalone) 3.1 and 3.2 server administration UI allows attackers with authenticated access to execute arbitrary code on vulnerable installations.

CVE-2017-11396CVE-2017-11396

Affected configuration(s):

cpe:/a:trendmicro:web_security_virtual_appliance:6.5

Date published: 2017-09-22T12:29:00.247-04:00

Date last modified: 2017-09-29T18:34:50.390-04:00

CVSS Score: 9.0

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: https://success.trendmicro.com/solution/1117412

Summary: Vulnerability issues with the web service inspection of input parameters in Trend Micro Web Security Virtual Appliance 6.5 may allow potential attackers who already have administration rights to the console to implement remote code injections.

CVE-2017-14079CVE-2017-14079

Affected configuration(s):

cpe:/a:trendmicro:mobile_security:9.7::~~enterprise~~~

Date published: 2017-09-22T12:29:00.480-04:00

Date last modified: 2017-09-29T18:36:03.097-04:00

CVSS Score: 6.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.securityfocus.com/bid/100970

Summary: Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.

CVE-2017-14080CVE-2017-14080

Affected configuration(s):

cpe:/a:trendmicro:mobile_security:9.7::~~enterprise~~~

Date published: 2017-09-22T12:29:00.557-04:00

Date last modified: 2017-09-29T18:43:15.410-04:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.zerodayinitiative.com/advisories/ZDI-17-767

Summary: Authentication bypass vulnerability in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allows attackers to access a specific part of the console using a blank password.

CVE-2017-14078CVE-2017-14078

Affected configuration(s):

cpe:/a:trendmicro:mobile_security:9.7::~~enterprise~~~

Date published: 2017-09-22T12:29:00.277-04:00

Date last modified: 2017-09-29T18:45:21.773-04:00

CVSS Score: 10.0

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.securityfocus.com/bid/100966

Summary: SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.

CVE-2017-14081CVE-2017-14081

Affected configuration(s):

cpe:/a:trendmicro:mobile_security:9.7::~~enterprise~~~

Date published: 2017-09-22T12:29:00.603-04:00

Date last modified: 2017-09-29T14:11:06.813-04:00

CVSS Score: 6.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.securityfocus.com/bid/100969

Summary: Proxy command injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attackers to execute arbitrary code on vulnerable installations.

CVE-2017-12611CVE-2017-12611

Affected configuration(s):

cpe:/a:apache:struts:2.0.1
cpe:/a:apache:struts:2.0.2
cpe:/a:apache:struts:2.0.3
cpe:/a:apache:struts:2.0.4
cpe:/a:apache:struts:2.0.5
cpe:/a:apache:struts:2.0.6
cpe:/a:apache:struts:2.0.7
cpe:/a:apache:struts:2.0.8
cpe:/a:apache:struts:2.0.9
cpe:/a:apache:struts:2.0.10
cpe:/a:apache:struts:2.0.11
cpe:/a:apache:struts:2.0.11.1
cpe:/a:apache:struts:2.0.11.2
cpe:/a:apache:struts:2.0.12
cpe:/a:apache:struts:2.0.13
cpe:/a:apache:struts:2.0.14
cpe:/a:apache:struts:2.1.0
cpe:/a:apache:struts:2.1.1
cpe:/a:apache:struts:2.1.2
cpe:/a:apache:struts:2.1.3
cpe:/a:apache:struts:2.1.4
cpe:/a:apache:struts:2.1.5
cpe:/a:apache:struts:2.1.6
cpe:/a:apache:struts:2.1.8
cpe:/a:apache:struts:2.1.8.1
cpe:/a:apache:struts:2.2.1
cpe:/a:apache:struts:2.2.1.1
cpe:/a:apache:struts:2.2.3
cpe:/a:apache:struts:2.2.3.1
cpe:/a:apache:struts:2.3.1
cpe:/a:apache:struts:2.3.1.1
cpe:/a:apache:struts:2.3.1.2
cpe:/a:apache:struts:2.3.3
cpe:/a:apache:struts:2.3.4
cpe:/a:apache:struts:2.3.4.1
cpe:/a:apache:struts:2.3.5
cpe:/a:apache:struts:2.3.6
cpe:/a:apache:struts:2.3.7
cpe:/a:apache:struts:2.3.8
cpe:/a:apache:struts:2.3.9
cpe:/a:apache:struts:2.3.10
cpe:/a:apache:struts:2.3.11
cpe:/a:apache:struts:2.3.12
cpe:/a:apache:struts:2.3.13
cpe:/a:apache:struts:2.3.14
cpe:/a:apache:struts:2.3.14.1
cpe:/a:apache:struts:2.3.14.2
cpe:/a:apache:struts:2.3.14.3
cpe:/a:apache:struts:2.3.15
cpe:/a:apache:struts:2.3.15.1
cpe:/a:apache:struts:2.3.15.2
cpe:/a:apache:struts:2.3.15.3
cpe:/a:apache:struts:2.3.16
cpe:/a:apache:struts:2.3.16.1
cpe:/a:apache:struts:2.3.16.2
cpe:/a:apache:struts:2.3.16.3
cpe:/a:apache:struts:2.3.17
cpe:/a:apache:struts:2.3.19
cpe:/a:apache:struts:2.3.20
cpe:/a:apache:struts:2.3.20.1
cpe:/a:apache:struts:2.3.20.2
cpe:/a:apache:struts:2.3.21
cpe:/a:apache:struts:2.3.22
cpe:/a:apache:struts:2.3.23
cpe:/a:apache:struts:2.3.24.2
cpe:/a:apache:struts:2.3.24.3
cpe:/a:apache:struts:2.3.25
cpe:/a:apache:struts:2.3.26
cpe:/a:apache:struts:2.3.27
cpe:/a:apache:struts:2.3.28
cpe:/a:apache:struts:2.3.28.1
cpe:/a:apache:struts:2.3.29
cpe:/a:apache:struts:2.3.30
cpe:/a:apache:struts:2.3.31
cpe:/a:apache:struts:2.3.32
cpe:/a:apache:struts:2.3.33
cpe:/a:apache:struts:2.5
cpe:/a:apache:struts:2.5:beta1
cpe:/a:apache:struts:2.5:beta2
cpe:/a:apache:struts:2.5:beta3
cpe:/a:apache:struts:2.5.1
cpe:/a:apache:struts:2.5.2
cpe:/a:apache:struts:2.5.3
cpe:/a:apache:struts:2.5.4
cpe:/a:apache:struts:2.5.5
cpe:/a:apache:struts:2.5.6
cpe:/a:apache:struts:2.5.7
cpe:/a:apache:struts:2.5.8
cpe:/a:apache:struts:2.5.9
cpe:/a:apache:struts:2.5.10

Date published: 2017-09-20T13:29:00.400-04:00

Date last modified: 2017-09-29T13:36:43.880-04:00

CVSS Score: 7.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt

Summary: In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

CVE-2017-1000249CVE-2017-1000249

Affected configuration(s):

cpe:/a:file_project:file:5.29

Date published: 2017-09-11T15:29:00.200-04:00

Date last modified: 2017-11-07T21:29:02.333-05:00

CVSS Score: 2.1

Principal attack vector: LOCAL

Complexity:  LOW

Reference URL: http://www.debian.org/security/2017/dsa-3965

Summary: An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).

CVE-2017-14141CVE-2017-14141

Affected configuration(s):

cpe:/a:kaltura:kaltura_server:mercury-13.1.0

Date published: 2017-09-19T11:29:00.977-04:00

Date last modified: 2017-10-03T13:11:31.020-04:00

CVSS Score: 6.5

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: http://www.securityfocus.com/bid/100976

Summary: The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.

CVE-2017-14124CVE-2017-14124

Affected configuration(s):

cpe:/a:unicon-software:rp:4.0.1
cpe:/a:unicon-software:rp:4.2
cpe:/a:unicon-software:rp:4.4.0
cpe:/a:unicon-software:rp:4.5.0
cpe:/a:unicon-software:rp:4.6.0
cpe:/a:unicon-software:rp:4.7.0
cpe:/a:unicon-software:rp:4.7.1
cpe:/a:unicon-software:rp:4.8.0
cpe:/a:unicon-software:rp:4.9.0
cpe:/a:unicon-software:rp:4.10.0
cpe:/a:unicon-software:rp:4.11.0
cpe:/a:unicon-software:rp:4.11.1
cpe:/a:unicon-software:rp:4.11.3
cpe:/a:unicon-software:rp:4.11.5
cpe:/a:unicon-software:rp:5.0.0
cpe:/a:unicon-software:rp:5.1.0
cpe:/a:unicon-software:rp:5.2.0
cpe:/a:unicon-software:rp:5.3.0
cpe:/a:unicon-software:rp:5.4.0
cpe:/a:unicon-software:rp:5.4.1
cpe:/a:unicon-software:rp:5.5.0::~~ltsr~~~
cpe:/a:unicon-software:rp:5.6.0::~~cr~~~

Date published: 2017-09-13T12:29:00.510-04:00

Date last modified: 2017-09-29T11:41:41.853-04:00

CVSS Score: 3.3

Principal attack vector: LOCAL

Complexity:  MEDIUM

Reference URL: https://www.myelux.com/cvesingle.htm?cve_id=CVE-2017-14124

Summary: In eLux RP 5.x before 5.5.1000 LTSR and 5.6.x before 5.6.2 CR when classic desktop mode is used, it is possible to start applications other than defined, even if the user does not have permissions to change application definitions.