Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2001-1055 | 1 Microsoft | 2 Windows 98, Windows 98se | 2017-10-10 | 5.0 MEDIUM | N/A |
| The Microsoft Windows network stack allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed ARP request packets with random source IP and MAC addresses, as demonstrated by ARPNuke. | |||||
| CVE-2001-1059 | 1 Vmware | 1 Workstation | 2017-10-10 | 3.6 LOW | N/A |
| VMWare creates a temporary file vmware-log.USERNAME with insecure permissions, which allows local users to read or modify license information. | |||||
| CVE-2001-1063 | 1 Caldera | 2 Openunix, Unixware | 2017-10-10 | 7.2 HIGH | N/A |
| Buffer overflow in uidadmin in Caldera Open Unix 8.0.0 and UnixWare 7 allows local users to gain root privileges via a long -S (scheme) command line argument. | |||||
| CVE-2001-1067 | 1 Aol | 1 Aol Server | 2017-10-10 | 10.0 HIGH | N/A |
| Buffer overflow in AOLserver 3.0 allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via an HTTP request with a long Authorization header. | |||||
| CVE-2001-1069 | 1 Adobe | 1 Acrobat Reader | 2017-10-10 | 7.2 HIGH | N/A |
| libCoolType library as used in Adobe Acrobat (acroread) on Linux creates the AdobeFnt.lst file with world-writable permissions, which allows local users to modify the file and possibly modify acroread's behavior. | |||||
| CVE-2001-1071 | 1 Cisco | 2 Catos, Ios | 2017-10-10 | 5.0 MEDIUM | N/A |
| Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allows remote attackers to cause a denial of service (memory consumption) via a flood of CDP neighbor announcements. | |||||
| CVE-2001-1072 | 1 Apache | 1 Http Server | 2017-10-10 | 5.0 MEDIUM | N/A |
| Apache with mod_rewrite enabled on most UNIX systems allows remote attackers to bypass RewriteRules by inserting extra / (slash) characters into the requested path, which causes the regular expression in the RewriteRule to fail. | |||||
| CVE-2001-1074 | 1 Webmin | 1 Webmin | 2017-10-10 | 7.2 HIGH | N/A |
| Webmin 0.84 and earlier does not properly clear the HTTP_AUTHORIZATION environment variable when the web server is restarted, which makes authentication information available to all CGI programs and allows local users to gain privileges. | |||||
| CVE-2001-1075 | 1 Sun | 1 Cobalt Raq 3i | 2017-10-10 | 5.0 MEDIUM | N/A |
| poprelayd script before 2.0 in Cobalt RaQ3 servers allows remote attackers to bypass authentication for relaying by causing a "POP login by user" string that includes the attacker's IP address to be injected into the maillog log file. | |||||
| CVE-2001-1079 | 1 Ibm | 1 Aix | 2017-10-10 | 3.6 LOW | N/A |
| create_keyfiles in PSSP 3.2 with DCE 3.1 authentication on AIX creates keyfile directories with world-writable permissions, which could allow a local user to delete key files and cause a denial of service. | |||||
| CVE-2001-1080 | 1 Ibm | 1 Aix | 2017-10-10 | 10.0 HIGH | N/A |
| diagrpt in AIX 4.3.x and 5.1 uses the DIAGDATADIR environment variable to find and execute certain programs, which allows local users to gain privileges by modifying the variable to point to a Trojan horse program. | |||||
| CVE-2001-1083 | 1 Icecast | 1 Icecast | 2017-10-10 | 5.0 MEDIUM | N/A |
| Icecast 1.3.7, and other versions before 1.3.11 with HTTP server file streaming support enabled allows remote attackers to cause a denial of service (crash) via a URL that ends in . (dot), / (forward slash), or \ (backward slash). | |||||
| CVE-2001-1084 | 1 Macromedia | 1 Jrun | 2017-10-10 | 7.5 HIGH | N/A |
| Cross-site scripting vulnerability in Allaire JRun 3.0 and 2.3.3 allows a malicious webmaster to embed Javascript in a request for a .JSP, .shtml, .jsp10, .jrun, or .thtml file that does not exist, which causes the Javascript to be inserted into an error message. | |||||
| CVE-2001-1085 | 1 Jon Zeeff | 1 Lmail | 2017-10-10 | 3.7 LOW | N/A |
| Lmail 2.7 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file. | |||||
| CVE-2001-1088 | 1 Microsoft | 2 Outlook, Outlook Express | 2017-10-10 | 7.5 HIGH | N/A |
| Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user. | |||||
| CVE-2015-0359 | 4 Adobe, Apple, Linux and 1 more | 4 Flash Player, Mac Os X, Linux Kernel and 1 more | 2017-10-07 | 10.0 HIGH | N/A |
| Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346. | |||||
| CVE-2017-1000035 | 1 Tt-rss | 1 Tiny Tiny Rss | 2017-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack | |||||
| CVE-2017-14352 | 1 Hp | 1 Ucmdb Configuration Manager | 2017-10-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A potential security vulnerability has been identified in HP UCMDB Configuration Manager versions 10.10, 10.11, 10.20, 10.21, 10.22, 10.23. These vulnerabilities could be remotely exploited to allow cross-site scripting. | |||||
| CVE-2017-14749 | 1 Jerryscript | 1 Jerryscript | 2017-10-06 | 6.8 MEDIUM | 7.8 HIGH |
| JerryScript 1.0 allows remote attackers to cause a denial of service (jmem_heap_alloc_block_internal heap memory corruption) or possibly execute arbitrary code via a crafted .js file, because unrecognized \ characters cause incorrect 0x00 characters in bytecode.literal data. | |||||
| CVE-2017-14935 | 1 Pulsesecure | 1 Pulse One On-premise | 2017-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly validate requests, which allows remote users to query and obtain sensitive information. | |||||
| CVE-2017-9794 | 1 Apache | 1 Geode | 2017-10-06 | 4.0 MEDIUM | 4.3 MEDIUM |
| When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries. In Apache Geode before 1.2.1, the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view. | |||||
| CVE-2017-1591 | 1 Ibm | 1 Datapower Gateway | 2017-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| IBM WebSphere DataPower Appliances 7.0.0 through 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 132368. | |||||
| CVE-2014-8878 | 1 Kde | 1 Kmail | 2017-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2017-13676 | 1 Norton | 1 Remove \& Reinstall | 2017-10-06 | 4.4 MEDIUM | 7.0 HIGH |
| Norton Remove & Reinstall can be susceptible to a DLL preloading vulnerability. These types of issues occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. Depending on how the application is configured, it will generally follow a specific search path to locate the DLL. The vulnerability can be exploited by a simple file write (or potentially an over-write) which results in a foreign DLL running under the context of the application. A Norton Remove & Reinstall update, version 4.4.0.58, has been released which addresses the aforementioned vulnerability. | |||||
| CVE-2017-5192 | 1 Saltstack | 1 Salt | 2017-10-06 | 6.5 MEDIUM | 8.8 HIGH |
| When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed. | |||||
| CVE-2017-14924 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2017-10-06 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with an IMG element, related to tiki-assignuser.php. | |||||
| CVE-2017-14925 | 1 Tiki | 1 Tikiwiki Cms\/groupware | 2017-10-06 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tiki before 16.3, 17.x before 17.1, 12 LTS before 12.12 LTS, and 15 LTS before 15.5 LTS allows an authenticated user to edit global permissions if an administrator opens a wiki page with an IMG element, related to tiki-objectpermissions.php. For example, an attacker could assign administrator privileges to every unauthenticated user of the site. | |||||
| CVE-2014-9686 | 1 Mapsplugin | 1 Googlemaps | 2017-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Googlemaps plugin 3.2 and earlier for Joomla! allows remote attackers with control of a sub-domain belonging to a victim domain to cause a denial of service via the 'url' parameter to plugin_googlemap3_kmlprxy.php. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7428. | |||||
| CVE-2011-4667 | 1 Cisco | 2 Ios, Nx-os | 2017-10-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| The encryption library in Cisco IOS Software 15.2(1)T, 15.2(1)T1, and 15.2(2)T, Cisco NX-OS in Cisco MDS 9222i Multiservice Modular Switch, Cisco MDS 9000 18/4-Port Multiservice Module, and Cisco MDS 9000 Storage Services Node module before 5.2(6), and Cisco IOS in Cisco VPN Services Port Adaptor for Catalyst 6500 12.2(33)SXI, and 12.2(33)SXJ when IP Security (aka IPSec) is used, allows remote attackers to obtain unencrypted packets from encrypted sessions. | |||||
| CVE-2017-14703 | 1 Cashbackcomparisonscript | 1 Cash Back Comparison | 2017-10-06 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in Cash Back Comparison Script 1.0 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to search/. | |||||
| CVE-2015-7349 | 1 Vasco | 1 Digipass | 2017-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the sample feedback.inc file in VASCO DIGIPASS authentication plug-in for Citrix Web Interface allows remote attackers to inject arbitrary web script or HTML via the failmessage parameter. | |||||
| CVE-2015-1526 | 1 Google | 1 Android | 2017-10-06 | 7.1 HIGH | 5.5 MEDIUM |
| The media_server component in Android allows remote attackers to cause a denial of service via a crafted application. | |||||
| CVE-2017-1577 | 1 Ibm | 1 Websphere Portal | 2017-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 132117. | |||||
| CVE-2015-7317 | 2 Kupu Project, Plone | 2 Kupu, Plone | 2017-10-06 | 4.9 MEDIUM | 6.8 MEDIUM |
| Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, and 4.2.0 through 4.2.7 allows remote authenticated users to edit Kupu settings. | |||||
| CVE-2015-5181 | 1 Redhat | 1 Jboss A-mq | 2017-10-06 | 3.5 LOW | 5.4 MEDIUM |
| The JBoss console in A-MQ allows remote attackers to execute arbitrary JavaScript. | |||||
| CVE-2015-9234 | 1 Cfpaypal | 1 Cp Contact Form With Paypal | 2017-10-06 | 6.5 MEDIUM | 7.2 HIGH |
| The cp-contact-form-with-paypal (aka CP Contact Form with PayPal) plugin before 1.1.6 for WordPress has SQL injection via the cp_contactformpp_id parameter to cp_contactformpp.php. | |||||
| CVE-2017-14941 | 1 Jaspersoft | 1 Jasperreports | 2017-10-06 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jaspersoft JasperReports 4.7 suffers from a saved credential disclosure vulnerability, which allows a remote authenticated user to retrieve stored Data Source passwords by accessing flow.html and reading the HTML source code of the page reached in an Edit action for a Data Source connector. | |||||
| CVE-2015-6592 | 1 Huawei | 2 Uap2105, Uap2105 Firmware | 2017-10-06 | 7.2 HIGH | 6.8 MEDIUM |
| Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require authentication to the serial port or the VxWorks shell. | |||||
| CVE-2015-1537 | 1 Google | 1 Android | 2017-10-06 | 9.3 HIGH | 7.8 HIGH |
| Integer overflow in IHDCP.cpp in the media_server component in Android allows remote attackers to execute arbitrary code via a crafted application. | |||||
| CVE-2017-14957 | 1 Blogotext Project | 1 Blogotext | 2017-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored XSS vulnerability via a comment in inc/conv.php in BlogoText before 3.7.6 allows an unauthenticated attacker to inject JavaScript. If the victim is an administrator, an attacker can (for example) change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog. | |||||
| CVE-2017-14958 | 1 Pivotx | 1 Pivotx | 2017-10-06 | 6.5 MEDIUM | 7.2 HIGH |
| lib.php in PivotX 2.3.11 does not properly block uploads of dangerous file types by admin users, which allows remote PHP code execution via an upload of a .php file. | |||||
| CVE-2015-5613 | 1 Octobercms | 1 October | 2017-10-06 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different vulnerability than CVE-2015-5612. | |||||
| CVE-2017-14760 | 1 Eventespresso | 1 Event Espresso Lite | 2017-10-06 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection exists in /includes/event-management/index.php in the event-espresso-free (aka Event Espresso Lite) plugin v3.1.37.12.L for WordPress via the recurrence_id parameter to /wp-admin/admin.php. | |||||
| CVE-2017-1483 | 1 Ibm | 3 Security Identity Governance And Intelligence, Security Identity Manager, Security Privileged Identity Manager | 2017-10-06 | 7.5 HIGH | 8.6 HIGH |
| IBM Security Identity Manager Adapters 6.0 and 7.0 does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM X-Force ID: 128621. | |||||
| CVE-2017-14526 | 1 Opentext | 2 Documentum Administrator, Documentum Webtop | 2017-10-06 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple XML external entity (XXE) vulnerabilities in the OpenText Documentum Administrator 7.2.0180.0055 allow remote authenticated users to list the contents of arbitrary directories, read arbitrary files, cause a denial of service, or, on Windows, obtain Documentum user hashes via a (1) crafted DTD, involving unspecified XML structures in a request to xda/com/documentum/ucf/server/transport/impl/GAIRConnector or crafted XML file in a MediaProfile file (2) import or (3) check in. | |||||
| CVE-2017-14525 | 1 Opentext | 2 Documentum Administrator, Documentum Webtop | 2017-10-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple open redirect vulnerabilities in OpenText Documentum Webtop 6.8.0160.0073 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect. | |||||
| CVE-2017-14524 | 1 Opentext | 2 Documentum Administrator, Documentum Webtop | 2017-10-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect. | |||||
| CVE-2015-8249 | 1 Manageengine | 1 Desktop Central | 2017-10-06 | 10.0 HIGH | 9.8 CRITICAL |
| The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter. | |||||
| CVE-2017-10701 | 1 Sap | 1 Enterprise Portal | 2017-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. | |||||
| CVE-2017-14751 | 1 Intensewp | 1 Wp Jobs | 2017-10-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Intense WP "WP Jobs" plugin 1.5 for WordPress has XSS, related to the Job Qualification field. | |||||