Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-2152 | 1 Buffalo Inc | 2 Wnc01wh, Wnc01wh Firmware | 2017-05-06 | 5.2 MEDIUM | 6.8 MEDIUM |
| WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to execute arbitrary OS commands via unspecified vectors. | |||||
| CVE-2017-8115 | 1 Modx | 1 Modx Revolution | 2017-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Directory traversal in setup/processors/url_search.php (aka the search page of an unused processor) in MODX Revolution 2.5.7 might allow remote attackers to obtain system directory information. | |||||
| CVE-2017-2148 | 1 Iodata | 2 Wn-ac1167gr, Wn-ac1167gr Firmware | 2017-05-05 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in WN-AC1167GR firmware version 1.04 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-5625 | 1 Oneplus | 3 Oneplus 3, Oneplus 3t, Oxygenos | 2017-05-05 | 2.1 LOW | 4.6 MEDIUM |
| In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized attacker can cause a locked bootloader to partially dump the ciphertext content of an arbitrary partition (except 'keystore') by issuing the 'fastboot oem dump <partition>' fastboot command. | |||||
| CVE-2017-2150 | 1 Booking Calendar Project | 1 Booking Calendar | 2017-05-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Directory traversal vulnerability in Booking Calendar version 7.0 and earlier allows remote attackers to read arbitrary files via specially crafted captcha_chalange parameter. | |||||
| CVE-2017-2151 | 1 Booking Calendar Project | 1 Booking Calendar | 2017-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Booking Calendar version 7.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-2136 | 1 Wp Statistics | 1 Wp Statistics | 2017-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WP Statistics version 12.0.4 and earlier allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. | |||||
| CVE-2017-2127 | 1 Yourownprogrammer | 1 Yop Poll | 2017-05-05 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2016-7841 | 1 Olive Design | 1 Olive Diary Dx | 2017-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Olive Diary DX allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||||
| CVE-2016-7839 | 1 Olive Design | 1 Olive Blog | 2017-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Olive Blog allows remote attackers to inject arbitrary web script or HTML via the search parameter. | |||||
| CVE-2017-2117 | 1 Cubecart | 1 Cubecart | 2017-05-05 | 4.0 MEDIUM | 4.9 MEDIUM |
| Directory traversal vulnerability in CubeCart versions prior to 6.1.5 allows attacker with administrator rights to read arbitrary files via unspecified vectors. | |||||
| CVE-2017-2090 | 1 Cubecart | 1 Cubecart | 2017-05-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2017-8106 | 1 Linux | 1 Linux Kernel | 2017-05-05 | 4.9 MEDIUM | 5.5 MEDIUM |
| The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3.12 through 3.15 allows privileged KVM guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via a single-context INVEPT instruction with a NULL EPT pointer. | |||||
| CVE-2017-2098 | 1 Cubecart | 1 Cubecart | 2017-05-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in CubeCart versions prior to 6.1.4 allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2017-2100 | 1 Ipa | 1 Appgoat | 2017-05-05 | 6.8 MEDIUM | 6.3 MEDIUM |
| Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3.0.1 and earlier allows remote attackers to conduct DNS rebinding attacks via unspecified vectors. | |||||
| CVE-2017-2123 | 1 Onethird | 1 Onethird Cms | 2017-05-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door and earlier allows remote attackers to inject arbitrary web script or HTML via language.php. | |||||
| CVE-2017-3560 | 1 Oracle | 1 Hospitality Opera 5 Property Services | 2017-05-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OXI Interface). Supported versions that are affected are 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x and 5.5.1.x. Easily "exploitable" vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2017-3552 | 1 Oracle | 1 Hospitality Opera 5 Property Services | 2017-05-04 | 3.5 LOW | 4.3 MEDIUM |
| Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Room Image/Picture Setup). Supported versions that are affected are 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x and 5.5.1.x. Easily "exploitable" vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). | |||||
| CVE-2017-3573 | 1 Oracle | 1 Hospitality Opera 5 Property Services | 2017-05-04 | 6.8 MEDIUM | 6.1 MEDIUM |
| Vulnerability in the Oracle Hospitality OPERA 5 Property Services component of Oracle Hospitality Applications (subcomponent: OPERA Printing). Supported versions that are affected are 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x and 5.5.1.x. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | |||||
| CVE-2017-2093 | 1 Cybozu | 1 Garoon | 2017-05-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cybozu Garoon 3.0.0 to 4.2.3 allow remote attackers to obtain tokens used for CSRF protection via unspecified vectors. | |||||
| CVE-2017-2114 | 1 Cybozu | 1 Office | 2017-05-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-8057 | 1 Joomla | 1 Joomla\! | 2017-05-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused full path disclosures on systems with enabled error reporting. | |||||
| CVE-2017-7987 | 1 Joomla | 1 Joomla\! | 2017-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component. | |||||
| CVE-2017-8298 | 1 Cnvs | 1 Canvas | 2017-05-03 | 3.5 LOW | 5.4 MEDIUM |
| cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Posts > Add New" action, and during creation of new tags and users. | |||||
| CVE-2016-8924 | 1 Ibm | 1 Maximo Asset Management | 2017-05-03 | 4.3 MEDIUM | 5.6 MEDIUM |
| IBM Maximo Asset Management 7.1, 7.5 and 7.6 could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier. An attacker could exploit this vulnerability to gain access to another user's session. IBM X-Force ID: 118537. | |||||
| CVE-2017-7983 | 1 Joomla | 1 Joomla\! | 2017-05-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers. | |||||
| CVE-2017-2092 | 1 Cybozu | 1 Garoon | 2017-05-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-8100 | 1 Artistscope | 1 Copysafe Web Protection | 2017-05-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| There is CSRF in the CopySafe Web Protection plugin before 2.6 for WordPress, allowing attackers to change plugin settings. | |||||
| CVE-2017-5191 | 1 Netiq | 1 Access Manager | 2017-05-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 and 4.3 exists because Access Gateway Error pages do not validate the HTTP Referer header. | |||||
| CVE-2016-8271 | 1 Huawei | 2 Espace Iad, Espace Iad Firmware | 2017-05-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Huawei eSpace IAD V300R002C01SPC100 and earlier versions have an information leak vulnerability; an attacker can check and download the fault information by accessing a special URL. | |||||
| CVE-2017-7986 | 1 Joomla | 1 Joomla\! | 2017-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components. | |||||
| CVE-2017-2118 | 1 Wbce | 1 Wbce Cms | 2017-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-7989 | 1 Joomla | 1 Joomla\! | 2017-05-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden. | |||||
| CVE-2017-7984 | 1 Joomla | 1 Joomla\! | 2017-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component. | |||||
| CVE-2016-9693 | 1 Ibm | 2 Business Process Manager, Websphere | 2017-05-02 | 6.8 MEDIUM | 6.1 MEDIUM |
| IBM Business Process Manager 7.5, 8.0, and 8.5 has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. IBM Reference #: 1998655. | |||||
| CVE-2016-9723 | 1 Ibm | 2 Qradar Incident Forensics, Qradar Security Information And Event Manager | 2017-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM QRadar 7.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999534. | |||||
| CVE-2017-7386 | 1 Symetrie Project | 1 Symetrie | 2017-05-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| citymont/symetrie v.0.9.6 is vulnerable to a reflected XSS in symetrie-master/app/commands/page.php (model parameter). | |||||
| CVE-2017-8098 | 1 E107 | 1 E107 | 2017-04-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker. | |||||
| CVE-2016-1210 | 1 The Hyakugo Bank | 1 105 Bank | 2017-04-29 | 4.3 MEDIUM | 5.9 MEDIUM |
| The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-8085 | 1 Exponentcms | 1 Exponent Cms | 2017-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php. | |||||
| CVE-2017-7590 | 1 Openidm Project | 1 Openidm | 2017-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| OpenIDM through 4.0.0 and 4.5.0 is vulnerable to persistent cross-site scripting (XSS) attacks within the Admin UI, as demonstrated by a crafted Managed Object Name. | |||||
| CVE-2016-3076 | 1 Python | 1 Pillow | 2017-04-29 | 4.3 MEDIUM | 5.5 MEDIUM |
| Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file. | |||||
| CVE-2016-6333 | 1 Mediawiki | 1 Mediawiki | 2017-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. | |||||
| CVE-2016-6334 | 1 Mediawiki | 1 Mediawiki | 2017-04-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links. | |||||
| CVE-2016-1221 | 1 Jetstar | 1 Jetstar | 2017-04-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2017-2326 | 1 Juniper | 1 Northstar Controller | 2017-04-28 | 6.8 MEDIUM | 6.5 MEDIUM |
| An information disclosure vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unprivileged, authenticated, network-based attacker to replicate the underlying Junos OS VM and all data it maintains to their local system for future analysis. | |||||
| CVE-2017-8071 | 1 Linux | 1 Linux Kernel | 2017-04-28 | 2.1 LOW | 5.5 MEDIUM |
| drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors. | |||||
| CVE-2017-8102 | 1 S9y | 1 Serendipity | 2017-04-28 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admin's cookie and other information by composing a new entry as an editor user. This is related to lack of the serendipity_event_xsstrust plugin and a set_config error in that plugin. | |||||
| CVE-2016-1187 | 1 Cybozu | 1 Kunai | 2017-04-27 | 4.3 MEDIUM | 6.8 MEDIUM |
| Cybozu KUNAI for iPhone 2.0.3 through 3.1.5 and for Android 2.1.2 through 3.0.4 does not verify SSL certificates. | |||||
| CVE-2015-0107 | 1 Ibm | 11 Change And Configuration Management Database, Maximo Asset Management, Maximo Asset Management Essentials and 8 more | 2017-04-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to conduct directory traversal attacks via unspecified vectors. | |||||