Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-0851 | 1 Google | 1 Android | 2017-12-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in the Android media framework (libhevc). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-35430570. | |||||
| CVE-2017-0850 | 1 Google | 1 Android | 2017-12-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 7.0, 7.1.1, 7.1.2. Android ID: A-64836941. | |||||
| CVE-2017-0848 | 1 Google | 1 Android | 2017-12-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information disclosure vulnerability in the Android media framework (libeffects). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-64477217. | |||||
| CVE-2017-16946 | 1 Misp | 1 Misp | 2017-12-07 | 4.0 MEDIUM | 4.9 MEDIUM |
| The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log. | |||||
| CVE-2017-2732 | 1 Huawei | 1 Hilink | 2017-12-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| Huawei Hilink APP Versions earlier before 5.0.25.306 has an information leak vulnerability. An attacker may trick a user into installing a malicious application and application can access Hilink APP data. | |||||
| CVE-2017-16961 | 1 Bigtreecms | 1 Bigtree Cms | 2017-12-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request. | |||||
| CVE-2017-15051 | 1 Teampass | 1 Teampass | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed. | |||||
| CVE-2017-1650 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 133260. | |||||
| CVE-2017-1607 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132927. | |||||
| CVE-2017-1688 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134063. | |||||
| CVE-2017-1689 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134064. | |||||
| CVE-2017-1678 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 134000. | |||||
| CVE-2017-1593 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132494. | |||||
| CVE-2017-1560 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131759. | |||||
| CVE-2017-1461 | 1 Ibm | 1 Rational Doors Next Generation | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 128460. | |||||
| CVE-2017-8136 | 1 Huawei | 1 Hedex Lite | 2017-12-07 | 4.3 MEDIUM | 5.5 MEDIUM |
| HedEx Earlier than V200R006C00 versions has an arbitrary file download vulnerability. An attacker could exploit it to download arbitrary files on a target device to cause information leak. | |||||
| CVE-2017-7736 | 1 Fortinet | 1 Fortiweb | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb webUI Certificate View page in 5.8.0, 5.7.1 and earlier, allows attackers to inject arbitrary web script or HTML via special crafted malicious certificate import. | |||||
| CVE-2017-16956 | 1 Symphony Project | 1 Symphony | 2017-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title. | |||||
| CVE-2017-14340 | 1 Linux | 1 Linux Kernel | 2017-12-07 | 4.9 MEDIUM | 5.5 MEDIUM |
| The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux kernel before 4.13.2 does not verify that a filesystem has a realtime device, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via vectors related to setting an RHINHERIT flag on a directory. | |||||
| CVE-2017-15110 | 1 Moodle | 1 Moodle | 2017-12-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students. | |||||
| CVE-2017-8199 | 1 Huawei | 6 Max Presence, Max Presence Firmware, Tp3106 and 3 more | 2017-12-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an out-of-bounds read vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit will cause process reboot. | |||||
| CVE-2017-8200 | 1 Huawei | 6 Max Presence, Max Presence Firmware, Tp3106 and 3 more | 2017-12-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have an out-of-bounds read vulnerability in H323 protocol. An attacker logs in to the system as a user and send crafted packets to the affected products. Due to insufficient verification of the packets, successful exploit will cause process reboot. | |||||
| CVE-2017-8281 | 1 Google | 1 Android | 2017-12-06 | 2.6 LOW | 4.7 MEDIUM |
| In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition can allow access to already freed memory while querying event status via DCI. | |||||
| CVE-2016-5341 | 1 Google | 1 Android | 2017-12-06 | 7.1 HIGH | 5.9 MEDIUM |
| The GPS component in Android before 2016-12-05 allows man-in-the-middle attackers to cause a denial of service (GPS signal-acquisition delay) via an incorrect xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka internal bug 31470303 and external bug 211602 (and AndroidID-7225554). | |||||
| CVE-2017-1000380 | 1 Linux | 1 Linux Kernel | 2017-12-06 | 2.1 LOW | 5.5 MEDIUM |
| sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. | |||||
| CVE-2017-1000209 | 1 Nv-websocket-client Project | 1 Nv-websocket-client | 2017-12-05 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL/TLS servers via an arbitrary valid certificate. | |||||
| CVE-2017-11832 | 1 Microsoft | 3 Windows 7, Windows Server 2008, Windows Server 2012 | 2017-12-05 | 1.9 LOW | 4.7 MEDIUM |
| The Microsoft Windows embedded OpenType (EOT) font engine in Windows 7 SP1, Windows Server 2008 SP2 and 2008 R2 SP1, and Windows Server 2012 allows an attacker to potentially read data that was not intended to be disclosed, due to the way that the Microsoft Windows EOT font engine parses specially crafted embedded fonts, aka "Windows EOT Font Engine Information Disclosure Vulnerability." This CVE ID is unique from CVE-2017-11835. | |||||
| CVE-2017-11880 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2017-12-05 | 1.9 LOW | 4.7 MEDIUM |
| Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 allows an attacker to run a specially crafted application and obtain information to further compromise the user's system due to the Windows kernel improperly initializing objects in memory, aka "Windows Information Disclosure Vulnerability". This CVE ID is unique from CVE-2017-11831. | |||||
| CVE-2017-16919 | 1 Mapos Project | 1 Mapos | 2017-12-05 | 3.5 LOW | 5.4 MEDIUM |
| MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter. | |||||
| CVE-2017-1000226 | 1 Fullworks | 1 Stop User Enumeration | 2017-12-04 | 5.0 MEDIUM | 5.3 MEDIUM |
| Stop User Enumeration 1.3.8 allows user enumeration via the REST API | |||||
| CVE-2017-15517 | 1 Netapp | 1 Altavault Ost Plug-in | 2017-12-04 | 2.1 LOW | 5.5 MEDIUM |
| AltaVault OST Plug-in versions prior to 1.2.2 may allow attackers to obtain sensitive information via unspecified vectors. All users are urged to move to a fixed version and change passwords used by Veritas NetBackup to access the OST shares on the NetApp AltaVault as a precaution. | |||||
| CVE-2017-16866 | 1 Finecms | 1 Finecms | 2017-12-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) in core/M_Controller.php via the DR_URI field. | |||||
| CVE-2017-10886 | 1 Cs-cart | 2 Cs-cart, Cs-cart Multivendor | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-4938 | 1 Vmware | 2 Fusion, Workstation | 2017-12-04 | 2.1 LOW | 6.5 MEDIUM |
| VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 8.5.9) contain a guest RPC NULL pointer dereference vulnerability. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. | |||||
| CVE-2017-16819 | 1 Icontime | 2 Rtc-1000, Rtc-1000 Firmware | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges. | |||||
| CVE-2017-10889 | 1 Tablepress | 1 Tablepress | 2017-12-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors. | |||||
| CVE-2017-4930 | 1 Vmware | 1 Airwatch | 2017-12-04 | 3.5 LOW | 5.4 MEDIUM |
| VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device's 'Links' page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL. | |||||
| CVE-2017-4929 | 1 Vmware | 1 Nsx Edge | 2017-12-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| VMware NSX Edge (6.2.x before 6.2.9 and 6.3.x before 6.3.5) contains a moderate Cross-Site Scripting (XSS) issue which may lead to information disclosure. | |||||
| CVE-2017-16842 | 1 Yoast | 1 Wordpress Seo | 2017-12-03 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML. | |||||
| CVE-2017-1000224 | 1 Embedplus | 1 Youtube | 2017-12-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin | |||||
| CVE-2017-1000163 | 1 Phoenixframework | 1 Phoenix | 2017-12-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks. | |||||
| CVE-2017-16758 | 1 Ultimate Instagram Feed Project | 1 Ultimate Instagram Feed | 2017-12-02 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in admin/partials/uif-access-token-display.php in the Ultimate Instagram Feed plugin before 1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "access_token" parameter. | |||||
| CVE-2017-16843 | 1 Vonage | 2 Vdv-23, Vdv-23 Firmware | 2017-12-02 | 3.5 LOW | 5.4 MEDIUM |
| Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKeyword or NewDomain field to /goform/RgParentalBasic. | |||||
| CVE-2017-9095 | 1 Divinglog | 1 Diving Log | 2017-12-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import. | |||||
| CVE-2017-13744 | 1 Liblouis | 1 Liblouis | 2017-12-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is an illegal address access in the function _lou_getALine() in compileTranslationTable.c:343 in Liblouis 3.2.0. | |||||
| CVE-2017-13742 | 1 Liblouis | 1 Liblouis | 2017-12-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is a stack-based buffer overflow in Liblouis 3.2.0, triggered in the function includeFile() in compileTranslationTable.c, that will lead to a remote denial of service attack. | |||||
| CVE-2017-1000201 | 1 Tcmu-runner Project | 1 Tcmu-runner | 2017-12-02 | 2.1 LOW | 5.5 MEDIUM |
| The tcmu-runner daemon in tcmu-runner version 1.0.5 to 1.2.0 is vulnerable to a local denial of service attack | |||||
| CVE-2017-13743 | 1 Liblouis | 1 Liblouis | 2017-12-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is a buffer overflow in Liblouis 3.2.0, triggered in the function _lou_showString() in utils.c, that will lead to a remote denial of service attack. | |||||
| CVE-2017-13741 | 1 Liblouis | 1 Liblouis | 2017-12-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is a use-after-free in the function compileBrailleIndicator() in compileTranslationTable.c in Liblouis 3.2.0 that will lead to a remote denial of service attack. | |||||
| CVE-2017-11863 | 1 Microsoft | 3 Edge, Windows 10, Windows Server 2016 | 2017-12-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Server 2016 and Windows Server, version 1709 allows an attacker to trick a user into loading a page containing malicious content, due to how the Edge Content Security Policy (CSP) validates documents, aka "Microsoft Edge Security Feature Bypass Vulnerability". This CVE ID is unique from CVE-2017-11872 and CVE-2017-11874. | |||||