CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14797
https://notcve.org/view.php?id=CVE-2017-14797
Lack of Transport Encryption in the public API in Philips Hue Bridge BSB002 SW 1707040932 allows remote attackers to read API keys (and consequently bypass the pushlink protection mechanism, and obtain complete control of the connected accessories) by leveraging the ability to sniff HTTP traffic on the local intranet network. La ausencia de cifrado en la capa de transporte en la API publica en Philips Hue Bridge BSB002 SW 1707040932 permite que los atacantes remotos lean claves de API (y en consecuencia omitir el mecanismo de protección pushlink y obtener el control completo de los accesorios conectados) mediante la capacidad para rastrear el tráfico HTTP en la intranet local. • https://www.tiferrei.com/philips-we-need-to-talk • CWE-326: Inadequate Encryption Strength •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2017-3210 – Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution
https://notcve.org/view.php?id=CVE-2017-3210
Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. A number of applications developed using the Portrait Displays SDK do not use secure permissions when running. These applications run the component pdiservice.exe with NT AUTHORITY/SYSTEM permissions. This component is also read/writable by all Authenticated Users. This allows local authenticated attackers to run arbitrary code with SYSTEM privileges. • https://www.kb.cert.org/vuls/id/219739 https://www.securityfocus.com/bid/98006 • CWE-16: Configuration CWE-276: Incorrect Default Permissions •
CVSS: 9.3EPSS: 97%CPEs: 11EXPL: 23CVE-2017-0199 – Microsoft Office and WordPad Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-0199
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API." Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1 y Windows 8.1 permiten a atacantes remotos ejecutar código arbitrario a través de un documento manipulado, vulnerabilidad también conocida como "Microsoft Office DLL Loading Vulnerability". Microsoft Excel contains a remote code execution vulnerability upon processing OLE objects. Versions 2007, 2010, 2013, and 2016 are affected on both architectures. Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. • https://www.exploit-db.com/exploits/42995 https://www.exploit-db.com/exploits/41934 https://www.exploit-db.com/exploits/41894 https://github.com/bhdresh/CVE-2017-0199 https://github.com/haibara3839/CVE-2017-0199-master https://github.com/Exploit-install/CVE-2017-0199 https://github.com/NotAwful/CVE-2017-0199-Fix https://github.com/n1shant-sinha/CVE-2017-0199 https://github.com/Sunqiz/CVE-2017-0199-reprofuction https://github.com/herbiezimmerman/2017-11-17-Maldoc-Using- •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2015-2884
https://notcve.org/view.php?id=CVE-2015-2884
Philips In.Sight B120/37 allows remote attackers to obtain sensitive information via a direct request, related to yoics.net URLs, stream.m3u8 URIs, and cam_service_enable.cgi. Philips In.Sight B120/37 permite a atacantes remotos obtener información sensible a través de una respuesta directa, relacionado con las URLs yoics.net, URIs stream.m3u8 y cam_service_enable.cgi. • http://www.securityfocus.com/bid/97683 https://community.rapid7.com/community/infosec/blog/2015/09/02/iotsec-disclosure-10-new-vulns-for-several-video-baby-monitors • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2883
https://notcve.org/view.php?id=CVE-2015-2883
Philips In.Sight B120/37 has XSS, related to the Weaved cloud web service, as demonstrated by the name parameter to deviceSettings.php or shareDevice.php. Philips In.Sight B120/37 tiene XSS, relacionado con el servicio web de nuve Weaved, según lo demostrado mediante el parámetro name para deviceSettings.php o shareDevice.php. • https://community.rapid7.com/community/infosec/blog/2015/09/02/iotsec-disclosure-10-new-vulns-for-several-video-baby-monitors • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •