Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2268 | 1 Vtiger | 1 Vtiger Crm | 2017-11-20 | 5.0 MEDIUM | N/A |
| views/Index.php in the Install module in vTiger 6.0 before Security Patch 2 does not properly restrict access, which allows remote attackers to re-install the application via a request that sets the X-Requested-With HTTP header, as demonstrated by executing arbitrary PHP code via the db_name parameter. | |||||
| CVE-2010-2258 | 1 Phpbannerexchange Project | 1 Phpbannerexchange | 2017-11-20 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in signupconfirm.php in phpBannerExchange 1.2 Arabic allows remote attackers to inject arbitrary web script or HTML via the bannerurl parameter. | |||||
| CVE-2014-2542 | 1 Tibco | 3 Messaging Appliance, Rendezvous, Substantiation Es | 2017-11-19 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Rendezvous Daemon (rvd), Rendezvous Routing Daemon (rvrd), Rendezvous Secure Daemon (rvsd), and Rendezvous Secure Routing Daemon (rvsrd) in TIBCO Rendezvous before 8.4.2, Messaging Appliance before 8.7.1, and Substation ES before 2.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2017-0037 | 1 Microsoft | 2 Edge, Internet Explorer | 2017-11-19 | 7.6 HIGH | 8.1 HIGH |
| Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element. | |||||
| CVE-2017-0059 | 1 Microsoft | 1 Internet Explorer | 2017-11-19 | 4.3 MEDIUM | 4.3 MEDIUM |
| Microsoft Internet Explorer 9 through 11 allow remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." This vulnerability is different from those described in CVE-2017-0008 and CVE-2017-0009. | |||||
| CVE-2017-1340 | 1 Ibm | 1 Jazz Reporting Service | 2017-11-19 | 4.0 MEDIUM | 5.0 MEDIUM |
| IBM Jazz Reporting Service (JRS) 6.0.4 could allow an authenticated user to obtain information on another server that the current report builder interacts with. IBM X-Force ID: 126455. | |||||
| CVE-2017-15988 | 1 Nicephpscripts | 1 Nice Php Faq Script | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525. | |||||
| CVE-2017-15983 | 1 Geniusocean | 1 Mymagazine Magazine \& Blog Cms | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | |||||
| CVE-2017-15986 | 1 Cpa Lead Reward Script Project | 1 Cpa Lead Reward Script | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| CPA Lead Reward Script allows SQL Injection via the username parameter. | |||||
| CVE-2017-15985 | 1 Readymadeb2bscript | 1 Basic B2b Script | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter. | |||||
| CVE-2017-15979 | 1 Odallated | 1 Shareet | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter. | |||||
| CVE-2017-15984 | 1 Bekirk | 1 Creative Management System Lite | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php. | |||||
| CVE-2017-15987 | 1 Fake Magazine Cover Script Project | 1 Fake Magazine Cover Script | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter. | |||||
| CVE-2017-15991 | 1 Vastal | 1 Agent Zone | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951, CVE-2009-3497, and CVE-2012-0982. | |||||
| CVE-2016-10699 | 1 D-link | 2 Dsl-2740e, Dsl-2740e Firmware | 2017-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| D-Link DSL-2740E 1.00_BG_20150720 devices are prone to persistent XSS attacks in the username and password fields: a remote unauthenticated user may craft logins and passwords with script tags in them. Because there is no sanitization in the input fields, an unaware logged-in administrator may be a victim when checking the router logs. | |||||
| CVE-2013-4246 | 1 Apache | 1 Subversion | 2017-11-18 | 6.5 MEDIUM | 8.8 HIGH |
| libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties. | |||||
| CVE-2012-5358 | 1 Ektron | 1 Ektron Content Management System | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| The XSLTCompiledTransform function in Ektron Content Management System (CMS) before 8.02 SP5 configures the XSL with enableDocumentFunction set to true, which allows remote attackers to read arbitrary files and consequently bypass authentication, modify viewstate, cause a denial of service, or possibly have unspecified other impact via crafted XSL data. | |||||
| CVE-2012-5357 | 1 Ektron | 1 Ektron Content Management System | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data. | |||||
| CVE-2017-14356 | 1 Hp | 2 Arcsight Enterprise Security Manager, Arcsight Enterprise Security Manager Express | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM Express, in any 6.x version prior to 6.9.1c Patch 4 or 6.11.0 Patch 1. This vulnerability could be exploited remotely to allow SQL injection. | |||||
| CVE-2017-3933 | 1 Mcafee | 1 Network Data Loss Prevention | 2017-11-18 | 3.5 LOW | 5.4 MEDIUM |
| Embedding Script (XSS) in HTTP Headers vulnerability in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to view confidential information via a cross site request forgery attack. | |||||
| CVE-2017-12460 | 1 Barco | 4 Clickshare Csc-1, Clickshare Csc-1 Firmware, Clickshare Csm-1 and 1 more | 2017-11-18 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in Barco ClickShare CSM-1 firmware before v1.7.0.3 and CSC-1 firmware before v1.10.0.10. An authenticated user can manage the wallpaper collection in the webUI to be shown as background on the ClickShare product. By uploading a wallpaper with a specially crafted name, an HTML injection can be triggered as special characters are not neutralized before output. | |||||
| CVE-2015-3249 | 1 Apache | 1 Traffic Server | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function. | |||||
| CVE-2017-16227 | 2 Debian, Quagga | 2 Debian Linux, Quagga | 2017-11-18 | 5.0 MEDIUM | 7.5 HIGH |
| The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. | |||||
| CVE-2017-1001001 | 1 Pluxml | 1 Pluxml | 2017-11-18 | 3.5 LOW | 5.4 MEDIUM |
| PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. | |||||
| CVE-2012-5636 | 1 Apache | 1 Wicket | 2017-11-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response. | |||||
| CVE-2017-15920 | 1 Watchdogdevelopment | 2 Anti-malware, Online Security Pro | 2017-11-18 | 5.0 MEDIUM | 7.5 HIGH |
| In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002054. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated. | |||||
| CVE-2017-15921 | 1 Watchdogdevelopment | 2 Anti-malware, Online Security Pro | 2017-11-18 | 5.0 MEDIUM | 7.5 HIGH |
| In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186.150, the zam32.sys driver contains a NULL pointer dereference vulnerability that gets triggered when sending an operation to ioctl 0x80002010. This is due to the input buffer being NULL or the input buffer size being 0 as they are not validated. | |||||
| CVE-2012-1213 | 1 Zimbra | 1 Zimbra | 2017-11-18 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter. | |||||
| CVE-2013-2219 | 2 Fedoraproject, Redhat | 2 389 Directory Server, Directory Server | 2017-11-18 | 4.0 MEDIUM | N/A |
| The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute. | |||||
| CVE-2013-3433 | 1 Cisco | 1 Unified Communications Manager | 2017-11-18 | 6.8 MEDIUM | N/A |
| Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02276. | |||||
| CVE-2013-3434 | 1 Cisco | 1 Unified Communications Manager | 2017-11-18 | 6.8 MEDIUM | N/A |
| Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02242. | |||||
| CVE-2013-3439 | 1 Cisco | 1 Unified Operations Manager | 2017-11-18 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Cisco Unified Operations Manager allows remote attackers to inject arbitrary web script or HTML via a crafted URL in an unspecified HTTP header field, aka Bug ID CSCud80182. | |||||
| CVE-2013-3440 | 1 Cisco | 1 Unified Operations Manager | 2017-11-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cisco Unified Operations Manager allow remote attackers to inject arbitrary web script or HTML, and obtain improperly secured cookies, via unspecified vectors, aka Bug ID CSCud80186. | |||||
| CVE-2013-3441 | 1 Cisco | 4 Aironet 3600, Aironet 3600e, Aironet 3600i and 1 more | 2017-11-18 | 5.4 MEDIUM | N/A |
| Cisco Aironet 3600 access points allow remote attackers to cause a denial of service (memory corruption and device crash) by disrupting Cisco Wireless LAN Controller communication and consequently forcing many transitions from FlexConnect mode to Standalone mode, aka Bug ID CSCuh71210. | |||||
| CVE-2013-3744 | 1 Oracle | 2 Jdk, Jre | 2017-11-18 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2400. | |||||
| CVE-2013-3746 | 1 Oracle | 1 Oracle And Sun Systems Product Suite | 2017-11-18 | 7.2 HIGH | N/A |
| Unspecified vulnerability in the Solaris Cluster component in Oracle and Sun Systems Products Suite 3.2, 3.3, and 4 prior to 4.1 SRU 3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Zone Cluster Infrastructure. | |||||
| CVE-2013-3754 | 1 Oracle | 1 Oracle And Sun Systems Product Suite | 2017-11-18 | 7.2 HIGH | N/A |
| Unspecified vulnerability in the Solaris Cluster component in Oracle and Sun Systems Products Suite 3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to HA for TimesTen. | |||||
| CVE-2013-4673 | 1 Symantec | 3 Web Gateway, Web Gateway Appliance 8450, Web Gateway Appliance 8490 | 2017-11-18 | 5.8 MEDIUM | N/A |
| The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 does not properly implement RADIUS authentication, which allows remote attackers to execute arbitrary code by leveraging access to the login prompt. | |||||
| CVE-2016-4366 | 1 Hp | 1 Systems Insight Manager | 2017-11-18 | 7.5 HIGH | 9.8 CRITICAL |
| HPE Systems Insight Manager (SIM) before 7.5.1 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unspecified vectors. | |||||
| CVE-2017-13826 | 2017-11-18 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-10140. Reason: This candidate is a reservation duplicate of CVE-2017-10140. Notes: All CVE users should reference CVE-2017-10140 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2017-1000204 | 2017-11-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-9920. Reason: This candidate is a reservation duplicate of CVE-2016-9920. Notes: All CVE users should reference CVE-2016-9920 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2017-1000161 | 2017-11-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA due to lack of a reference providing provenance. Notes: none. | |||||
| CVE-2017-1000222 | 2017-11-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA due to lack of a reference providing provenance. Notes: none. | |||||
| CVE-2017-1000233 | 2017-11-17 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-11667. Reason: This candidate is a reservation duplicate of CVE-2017-11667. Notes: All CVE users should reference CVE-2017-11667 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2017-15980 | 1 Rowindex | 1 Us Zip Codes Database Script | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter. | |||||
| CVE-2017-16230 | 1 Typecho | 1 Typecho | 2017-11-17 | 3.5 LOW | 5.4 MEDIUM |
| In admin/write-post.php in Typecho through 1.1, one can log in to the background page, write a new article, and add payload in the article content, resulting in XSS via index.php/action/contents-post-edit. | |||||
| CVE-2014-3624 | 1 Apache | 1 Traffic Server | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. | |||||
| CVE-2017-7732 | 1 Fortinet | 1 Fortimail | 2017-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet FortiMail 5.1 and earlier, 5.2.0 through 5.2.9, and 5.3.0 through 5.3.9 customized pre-authentication webmail login page allows attacker to inject arbitrary web script or HTML via crafted HTTP requests. | |||||
| CVE-2017-7335 | 1 Fortinet | 1 Fortiwlc | 2017-11-17 | 3.5 LOW | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x (6.1-2, 6.1-4 and 6.1-5); 7.0-x (7.0-7, 7.0-8, 7.0-9, 7.0-10); and 8.x (8.0, 8.1, 8.2 and 8.3.0-8.3.2) allows an authenticated user to inject arbitrary web script or HTML via non-sanitized parameters "refresh" and "branchtotable" present in HTTP POST requests. | |||||
| CVE-2017-15976 | 1 Zeescripts | 1 Zeebuddy | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604. | |||||