Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14748 | 1 Blizzard | 1 Overwatch | 2017-10-06 | 3.5 LOW | 5.3 MEDIUM |
| Race condition in Blizzard Overwatch 1.15.0.2 allows remote authenticated users to cause a denial of service (season bans and SR losses for other users) by leaving a competitive match at a specific time during the initial loading of that match. | |||||
| CVE-2017-14954 | 1 Linux | 1 Linux Kernel | 2017-10-06 | 2.1 LOW | 5.5 MEDIUM |
| The waitid implementation in kernel/exit.c in the Linux kernel through 4.13.4 accesses rusage data structures in unintended cases, which allows local users to obtain sensitive information, and bypass the KASLR protection mechanism, via a crafted system call. | |||||
| CVE-2017-14717 | 1 Telaxius | 1 Epesi | 2017-10-06 | 3.5 LOW | 5.4 MEDIUM |
| In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter. | |||||
| CVE-2017-14712 | 1 Telaxius | 1 Epesi | 2017-10-06 | 3.5 LOW | 5.4 MEDIUM |
| In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter. | |||||
| CVE-2017-9551 | 1 Mahara | 1 Mahara | 2017-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before 16.10.5 and 17.04 before 17.04.3 are vulnerable to a user submitting potential dangerous payload, e.g. XSS code, to be saved as their name in the usr_registration table. The values are then emailed to the the user and administrator and if accepted become part of the new user's account. | |||||
| CVE-2017-13991 | 1 Hp | 2 Arcsight Enterprise Security Manager, Arcsight Enterprise Security Manager Express | 2017-10-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information leakage vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows disclosure of product license features. | |||||
| CVE-2017-13990 | 1 Hp | 2 Arcsight Enterprise Security Manager, Arcsight Enterprise Security Manager Express | 2017-10-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| An information leakage vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows disclosure of Apache Tomcat application server version. | |||||
| CVE-2017-13986 | 1 Hp | 2 Arcsight Enterprise Security Manager, Arcsight Enterprise Security Manager Express | 2017-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM and ArcSight ESM Express, any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1, allows for unintended information when a specific URL is sent to the system. | |||||
| CVE-2017-14922 | 1 Tine20 | 1 Tine 2.0 | 2017-10-05 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS vulnerability via IMG element at "History" of Profile, Calendar, Tasks, and CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users. | |||||
| CVE-2017-14921 | 1 Tine20 | 1 Tine 2.0 | 2017-10-05 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS vulnerability via IMG element at "Filename" of Filemanager in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users. | |||||
| CVE-2017-14920 | 1 Egroupware | 1 Egroupware | 2017-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator. | |||||
| CVE-2017-14841 | 1 Dasinfomedia | 1 Annual Maintenance Contract Management System | 2017-10-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mojoomla Annual Maintenance Contract (AMC) Management System allows Arbitrary File Upload in profilesetting image handling. | |||||
| CVE-2017-14923 | 1 Tine20 | 1 Tine 2.0 | 2017-10-05 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine 2.0 Community Edition before 2017.08.4 allows an authenticated user to inject JavaScript, which is mishandled during rendering by the application administrator and other users. | |||||
| CVE-2017-14974 | 1 Gnu | 1 Binutils | 2017-10-05 | 4.3 MEDIUM | 5.5 MEDIUM |
| The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandle the failure of a certain canonicalization step, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c. | |||||
| CVE-2015-4071 | 1 Helpdesk Pro Project | 1 Helpdesk Pro | 2017-10-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Helpdesk Pro Plugin before 1.4.0 for Joomla! allows remote attackers to read the support tickets of arbitrary users via obtaining the target ticketId, and navigating to http://{target}/component/helpdeskpro/?view=ticket&id={ticketId}. | |||||
| CVE-2015-3420 | 2 Dovecot, Fedoraproject | 2 Dovecot, Fedora | 2017-10-05 | 4.3 MEDIUM | 5.9 MEDIUM |
| The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures. | |||||
| CVE-2017-13984 | 1 Hp | 1 Bsm Platform Application Performance Management System Health | 2017-10-05 | 5.5 MEDIUM | 6.5 MEDIUM |
| An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to delete arbitrary files via servlet directory traversal. | |||||
| CVE-2017-13985 | 1 Hp | 1 Bsm Platform Application Performance Management System Health | 2017-10-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| An authentication vulnerability in HPE BSM Platform Application Performance Management System Health product versions 9.26, 9.30 and 9.40, allows remote users to traverse directory leading to disclosure of information. | |||||
| CVE-2015-7837 | 1 Redhat | 6 Enterprise Linux, Enterprise Linux Desktop, Enterprise Linux Server Aus and 3 more | 2017-10-05 | 2.1 LOW | 5.5 MEDIUM |
| The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions by leveraging improper handling of secure_boot flag across kexec reboot. | |||||
| CVE-2017-14653 | 1 Asp4cms | 1 Aspcms | 2017-10-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| member/Orderinfo.asp in ASP4CMS AspCMS 2.7.2 allows remote authenticated users to read arbitrary order information via a modified OrderNo parameter. | |||||
| CVE-2017-9292 | 1 Lansweeper | 1 Lansweeper | 2017-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug 542782. | |||||
| CVE-2015-9232 | 1 Good | 1 Good For Enterprise | 2017-10-04 | 2.6 LOW | 5.3 MEDIUM |
| The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names beginning with a com.good.gdgma substring. Consequently, an attacker could obtain access to intranet data. This issue is only relevant in cases where the user has already downloaded a malicious Android application. | |||||
| CVE-2017-14321 | 1 Mirasvit | 1 Helpdesk Mx | 2017-10-04 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the administrative interface in Mirasvit Helpdesk MX before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) customer name or (2) subject in a ticket. | |||||
| CVE-2017-14865 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. | |||||
| CVE-2017-14866 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer overflow in the Exiv2::s2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. | |||||
| CVE-2017-14857 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Exiv2 0.26, there is an invalid free in the Image class in image.cpp that leads to a Segmentation fault. A crafted input will lead to a denial of service attack. | |||||
| CVE-2017-14858 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. | |||||
| CVE-2015-1849 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2017-10-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled. | |||||
| CVE-2015-5248 | 1 Redhat | 1 Feedhenry Enterprise Mobile Application Platform | 2017-10-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Reflected file download vulnerability in Red Hat Feedhenry Enterprise Mobile Application Platform. | |||||
| CVE-2017-14615 | 1 Watchguard | 1 Fireware | 2017-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. When a failed login attempt is made to the login endpoint of the XML-RPC interface, if JavaScript code, properly encoded to be consumed by XML parsers, is embedded as value of the user element, the code will be rendered in the context of any logged in user in the Web UI visiting "Traffic Monitor" sections "Events" and "All." As a side effect, no further events will be visible in the Traffic Monitor until the device is restarted. | |||||
| CVE-2016-10511 | 1 Twitter | 1 Twitter | 2017-10-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the ability to view an application-only OAuth client token and potentially enable unreleased Twitter iOS app features. | |||||
| CVE-2017-14927 | 1 Freedesktop | 1 Poppler | 2017-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutputDev::type3D0() function in SplashOutputDev.cc via a crafted PDF document. | |||||
| CVE-2010-3049 | 1 Cisco | 1 Ios | 2017-10-03 | 4.9 MEDIUM | 5.5 MEDIUM |
| Cisco IOS before 12.2(33)SXI allows local users to cause a denial of service (device reboot). | |||||
| CVE-2010-3050 | 1 Cisco | 1 Ios | 2017-10-03 | 6.8 MEDIUM | 6.5 MEDIUM |
| Cisco IOS before 12.2(33)SXI allows remote authenticated users to cause a denial of service (device reboot). | |||||
| CVE-2017-1551 | 1 Ibm | 1 Api Connect | 2017-10-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.7.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 131291. | |||||
| CVE-2017-14940 | 1 Gnu | 1 Binutils | 2017-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file. | |||||
| CVE-2017-1555 | 1 Ibm | 1 Api Connect | 2017-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545. | |||||
| CVE-2017-1425 | 1 Ibm | 1 Business Process Manager | 2017-10-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.0.1.1 and 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127478. | |||||
| CVE-2015-7315 | 1 Plone | 1 Plone | 2017-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator. | |||||
| CVE-2015-7316 | 1 Plone | 1 Plone | 2017-10-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1. | |||||
| CVE-2015-7896 | 1 Samsung | 2 Galaxy S6, Samsung Mobile | 2017-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| LibQJpeg in the Samsung Galaxy S6 before the October 2015 MR allows remote attackers to cause a denial of service (memory corruption and SIGSEGV) via a crafted image file. | |||||
| CVE-2015-7347 | 1 Zcms Project | 1 Zcms | 2017-09-30 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1. | |||||
| CVE-2015-4706 | 1 Ipython | 1 Ipython | 2017-09-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IPython 3.x before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving JSON error messages and the /api/contents path. | |||||
| CVE-2017-14765 | 1 Genixcms | 1 Genixcms | 2017-09-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In GeniXCMS 1.1.4, gxadmin/index.php has XSS via the Menu ID field in a page=menus request. | |||||
| CVE-2017-14761 | 1 Genixcms | 1 Genixcms | 2017-09-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In GeniXCMS 1.1.4, /inc/lib/backend/menus.control.php has XSS via the id parameter. | |||||
| CVE-2017-14762 | 1 Genixcms | 1 Genixcms | 2017-09-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In GeniXCMS 1.1.4, /inc/lib/Control/Backend/menus.control.php has XSS via the id parameter. | |||||
| CVE-2017-1002100 | 1 Kubernetes | 1 Kubernetes | 2017-09-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal. | |||||
| CVE-2017-1531 | 1 Ibm | 1 Business Process Manager | 2017-09-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130410. | |||||
| CVE-2017-1530 | 1 Ibm | 1 Business Process Manager | 2017-09-29 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 130409. | |||||
| CVE-2017-7971 | 1 Schneider-electric | 3 Citect Anywhere, Powerscada Anywhere, Powerscada Expert | 2017-09-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 that allows the use of outdated cipher suites and improper verification of peer SSL Certificate. | |||||