Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15975 | 1 Vastal | 1 Dating Zone | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461. | |||||
| CVE-2017-15957 | 1 Ingenious School Management System Project | 1 Ingenious School Management System | 2017-11-17 | 6.5 MEDIUM | 8.8 HIGH |
| my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file. | |||||
| CVE-2017-15960 | 1 Yourarticlesdirectory | 1 Article Directory Script | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Article Directory Script 3.0 allows SQL Injection via the id parameter to author.php or category.php. | |||||
| CVE-2017-15962 | 1 Istock Management System Project | 1 Istock Management System | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| iStock Management System 1.0 allows Arbitrary File Upload via user/profile. | |||||
| CVE-2017-15964 | 1 Nicephpscripts | 1 Job Board Script | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI. | |||||
| CVE-2017-15961 | 1 Iproject Management System Project | 1 Iproject Management System | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php. | |||||
| CVE-2017-15958 | 1 Domainzaar | 1 D-park Pro | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the username to admin/loginform.php. | |||||
| CVE-2017-15956 | 1 Converto Video Downloader \& Converter Project | 1 Converto Video Downloader \& Converter | 2017-11-17 | 5.0 MEDIUM | 7.5 HIGH |
| ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php. | |||||
| CVE-2017-15812 | 1 Easy Appointments Project | 1 Easy Appointments | 2017-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings values in the admin panel. | |||||
| CVE-2009-1198 | 1 Apache | 1 Juddi | 2017-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. | |||||
| CVE-2017-15989 | 1 Online Exam Test Application Project | 1 Online Exam Test Application | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action. | |||||
| CVE-2017-15978 | 1 Arox | 1 School Erp Php Script | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter. | |||||
| CVE-2017-15977 | 1 Protectedlinks | 1 Expiring Download Links | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter. | |||||
| CVE-2017-15687 | 1 Logitech | 1 Media Server | 2017-11-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7.7.1, 7.7.2, 7.7.3, 7.7.5, 7.7.6, 7.9.0, and 7.9.1 via a crafted URI. | |||||
| CVE-2017-15992 | 1 Website Broker Script Project | 1 Website Broker Script | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php. | |||||
| CVE-2015-6839 | 1 Grupo Msa | 1 Vot.ar | 2017-11-17 | 2.1 LOW | 4.6 MEDIUM |
| The parse function in MSA vot.Ar 3.1 does not check whether a candidate receives more than one vote, which allows physically proximate attackers to cast multiple votes for a candidate via a crafted RFID ballot tag. | |||||
| CVE-2017-15993 | 1 Zomato Clone Script Project | 1 Zomato Clone Script | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. | |||||
| CVE-2017-14359 | 1 Hp | 1 Performance Center | 2017-11-17 | 3.5 LOW | 5.4 MEDIUM |
| A potential security vulnerability has been identified in HPE Performance Center versions 12.20. The vulnerability could be remotely exploited to allow cross-site scripting. | |||||
| CVE-2008-4446 | 1 Nucleus Cms | 1 Nucleus | 2017-11-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Nucleus EUC-JP 3.31 SP1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-3734 | 1 Redhat | 1 Jboss Application Server | 2017-11-17 | 6.0 MEDIUM | 6.6 MEDIUM |
| ** DISPUTED ** The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console. | |||||
| CVE-2017-16530 | 1 Linux | 1 Linux Kernel | 2017-11-17 | 7.2 HIGH | 6.6 MEDIUM |
| The uas driver in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to drivers/usb/storage/uas-detect.h and drivers/usb/storage/uas.c. | |||||
| CVE-2017-15966 | 1 Zh Yandexmap Project | 1 Zh Yandexmap | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php. | |||||
| CVE-2017-15967 | 1 Mailing-manager | 1 Mailing List Manager Pro | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template. | |||||
| CVE-2017-15965 | 1 Nswd | 1 Ns Download Shop | 2017-11-17 | 7.5 HIGH | 9.8 CRITICAL |
| The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action. | |||||
| CVE-2017-15911 | 1 Igniterealtime | 1 Openfire | 2017-11-17 | 3.5 LOW | 4.8 MEDIUM |
| The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. | |||||
| CVE-2006-5331 | 1 Linux | 1 Linux Kernel | 2017-11-17 | 4.9 MEDIUM | 5.5 MEDIUM |
| The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction. | |||||
| CVE-2012-6270 | 1 Adobe | 1 Shockwave Player | 2017-11-17 | 9.3 HIGH | N/A |
| Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of a Shockwave Player 10.4.0.025 compatibility feature via a crafted HTML document that references Shockwave content with a certain compatibility parameter, related to a "downgrading" attack. | |||||
| CVE-2012-6271 | 1 Adobe | 1 Shockwave Player | 2017-11-17 | 9.3 HIGH | N/A |
| Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra. | |||||
| CVE-2013-6044 | 1 Djangoproject | 1 Django | 2017-11-17 | 4.3 MEDIUM | N/A |
| The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme. | |||||
| CVE-2017-8239 | 1 Google | 1 Android | 2017-11-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| In all Android releases from CAF using the Linux kernel, userspace-controlled parameters for flash initialization are not sanitized potentially leading to exposure of kernel memory. | |||||
| CVE-2017-9675 | 1 Dlink | 2 Dir-605l, Dir-605l Firmware | 2017-11-17 | 7.8 HIGH | 7.5 HIGH |
| On D-Link DIR-605L devices, firmware before 2.08UIBetaB01.bin allows an unauthenticated GET request to trigger a reboot. | |||||
| CVE-2009-2853 | 1 Wordpress | 1 Wordpress | 2017-11-16 | 10.0 HIGH | N/A |
| Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/. | |||||
| CVE-2017-15928 | 1 Ox Project | 1 Ox | 2017-11-16 | 5.0 MEDIUM | 7.5 HIGH |
| In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication. | |||||
| CVE-2017-15968 | 1 Contractorscripts | 1 Mybuildersite | 2017-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter. | |||||
| CVE-2017-15969 | 1 Pilotgroup | 1 Allsharevideo | 2017-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category. | |||||
| CVE-2017-6162 | 1 F5 | 8 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Application Acceleration Manager and 5 more | 2017-11-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, Websafe software version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1, 11.4.0 to 11.5.4, 11.2.1, in some cases TMM may crash when processing TCP traffic. This vulnerability affects TMM via a virtual server configured with TCP profile. Traffic processing is disrupted while Traffic Management Microkernel (TMM) restarts. If the affected BIG-IP system is configured to be part of a device group, it will trigger a failover to the peer device. | |||||
| CVE-2017-6161 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Application Acceleration Manager and 8 more | 2017-11-16 | 2.9 LOW | 5.3 MEDIUM |
| In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator software version 12.0.0 - 12.1.2, 11.6.0 - 11.6.1, 11.4.0 - 11.5.4, 11.2.1, when ConfigSync is configured, attackers on adjacent networks may be able to bypass the TLS protections usually used to encrypted and authenticate connections to mcpd. This vulnerability may allow remote attackers to cause a denial-of-service (DoS) attack via resource exhaustion. | |||||
| CVE-2017-6163 | 1 F5 | 8 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Application Acceleration Manager and 5 more | 2017-11-16 | 4.3 MEDIUM | 5.9 MEDIUM |
| In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, PSM software version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1, 11.4.0 to 11.5.4, when a virtual server uses the standard configuration of HTTP/2 or SPDY profile with Client SSL profile, and the client initiates a number of concurrent streams beyond the advertised limit can cause a disruption of service. Remote client initiating stream beyond the advertised limit can cause a disruption of service. The Traffic Management Microkernel (TMM) data plane is exposed to this issue; the control plane is not exposed. | |||||
| CVE-2017-1554 | 1 Ibm | 1 Infosphere Biginsights | 2017-11-16 | 3.5 LOW | 5.4 MEDIUM |
| IBM Infosphere BigInsights 4.2.0 and 4.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 131398. | |||||
| CVE-2017-15882 | 1 Londontrustmedia | 1 Private Internet Access | 2017-11-16 | 5.0 MEDIUM | 7.5 HIGH |
| The London Trust Media Private Internet Access (PIA) application before 1.3.3.1 for Android allows remote attackers to cause a denial of service (application crash) via a large VPN server-list file. | |||||
| CVE-2017-15970 | 1 Phpcityportal | 1 Phpcityportal | 2017-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter. | |||||
| CVE-2007-4550 | 1 Altools | 1 Alpass | 2017-11-16 | 5.1 MEDIUM | N/A |
| Format string vulnerability in ALPass 2.7 English and 3.02 Korean might allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an fnm field in a folder-name record in an ALPASS DB (APW) file. | |||||
| CVE-2017-1553 | 1 Ibm | 1 Infosphere Biginsights | 2017-11-16 | 3.5 LOW | 5.4 MEDIUM |
| IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131397. | |||||
| CVE-2017-1552 | 1 Ibm | 1 Infosphere Biginsights | 2017-11-16 | 4.9 MEDIUM | 5.4 MEDIUM |
| IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to link injection. By persuading a victim to click on a specially-crafted URL link, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 131396. | |||||
| CVE-2015-1835 | 1 Apache | 1 Cordova | 2017-11-16 | 2.6 LOW | 5.3 MEDIUM |
| Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. | |||||
| CVE-2005-0189 | 1 Realnetworks | 2 Realone Player, Realplayer | 2017-11-16 | 7.5 HIGH | N/A |
| Stack-based buffer overflow in the HandleAction function in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to execute arbitrary code via a long ShowPreferences argument. | |||||
| CVE-2005-0190 | 1 Realnetworks | 2 Realone Player, Realplayer | 2017-11-16 | 2.6 LOW | N/A |
| Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. (dot dot) sequences in a filename that ends with a ? (question mark) and an allowed file extension (e.g. .mp3), which bypasses the check for the file extension. | |||||
| CVE-2005-0191 | 1 Realnetworks | 2 Realone Player, Realplayer | 2017-11-16 | 5.1 MEDIUM | N/A |
| Off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files in RealPlayer 10.5 (6.0.12.1040) and earlier could allow remote attackers to execute arbitrary code via a long tag. | |||||
| CVE-2008-3604 | 1 Zeescripts | 1 Zeebuddy | 2017-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in bannerclick.php in ZeeBuddy 2.1 allows remote attackers to execute arbitrary SQL commands via the adid parameter. | |||||
| CVE-2017-15963 | 1 Itechscripts | 1 Gigs Script | 2017-11-16 | 7.5 HIGH | 9.8 CRITICAL |
| iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter. | |||||