Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2004-0798 | 1 Ipswitch | 1 Whatsup Gold | 2017-10-05 | 7.5 HIGH | N/A |
| Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter. | |||||
| CVE-2005-4696 | 1 Microsoft | 1 Windows Xp | 2017-10-05 | 2.1 LOW | N/A |
| The Microsoft Wireless Zero Configuration system (WZCS) stores WEP keys and pair-wise Master Keys (PMK) of the WPA pre-shared key in plaintext in memory of the explorer process, which allows attackers with access to process memory to steal the keys and access the network. | |||||
| CVE-2006-5190 | 1 Oscommerce | 1 Oscommerce | 2017-10-05 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php. | |||||
| CVE-2007-5229 | 1 Feedburner | 1 Feedsmith | 2017-10-05 | 6.4 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the FeedBurner FeedSmith 2.2 plugin for WordPress allows remote attackers to change settings and hijack blog feeds via a request to wp-admin/options-general.php that submits parameter values to FeedBurner_FeedSmith_Plugin.php, as demonstrated by the (1) feedburner_url and (2) feedburner_comments_url parameters. | |||||
| CVE-2010-4210 | 1 Freebsd | 1 Freebsd | 2017-10-05 | 7.2 HIGH | N/A |
| The pfs_getextattr function in FreeBSD 7.x before 7.3-RELEASE and 8.x before 8.0-RC1 unlocks a mutex that was not previously locked, which allows local users to cause a denial of service (kernel panic), overwrite arbitrary memory locations, and possibly execute arbitrary code via vectors related to opening a file on a file system that uses pseudofs. | |||||
| CVE-2012-4901 | 1 Template Cms Project | 1 Template Cms | 2017-10-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter in an add_template action to admin/index.php. | |||||
| CVE-2012-4902 | 1 Template Cms Project | 1 Template Cms | 2017-10-05 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php. | |||||
| CVE-2012-4988 | 1 Xnview | 1 Xnview | 2017-10-05 | 9.3 HIGH | N/A |
| Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file. | |||||
| CVE-2012-6534 | 1 Novell | 1 Sentinel Log Manager | 2017-10-05 | 4.3 MEDIUM | N/A |
| Novell Sentinel Log Manager before 1.2.0.3 allows remote attackers to create data retention policies via a crafted text/x-gwt-rpc request to novelllogmanager/datastorageservice.rpc, and allows remote authenticated Report Administrators to create data retention policies via a search-results "Save Query As" "Save As Retention Policy" action. | |||||
| CVE-2013-4810 | 1 Hp | 3 Application Lifecycle Management, Identity Driven Manager, Procurve Manager | 2017-10-05 | 10.0 HIGH | N/A |
| HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874. | |||||
| CVE-2014-7910 | 1 Google | 1 Chrome | 2017-10-05 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in Google Chrome before 39.0.2171.65 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |||||
| CVE-2017-1000076 | 2017-10-05 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA due to lack of a reference providing provenance. Notes: none. | |||||
| CVE-2017-1000077 | 2017-10-05 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA due to lack of a reference providing provenance. Notes: none. | |||||
| CVE-2017-9292 | 1 Lansweeper | 1 Lansweeper | 2017-10-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug 542782. | |||||
| CVE-2015-9232 | 1 Good | 1 Good For Enterprise | 2017-10-04 | 2.6 LOW | 5.3 MEDIUM |
| The Good for Enterprise application 3.0.0.415 for Android does not use signature protection for its Authentication Delegation API intent. Also, the Good Dynamic application activation process does not attempt to detect malicious activation attempts involving modified names beginning with a com.good.gdgma substring. Consequently, an attacker could obtain access to intranet data. This issue is only relevant in cases where the user has already downloaded a malicious Android application. | |||||
| CVE-2017-14320 | 1 Mirasvit | 1 Helpdesk Mx | 2017-10-04 | 6.0 MEDIUM | 8.0 HIGH |
| Mirasvit Helpdesk MX before 1.5.3 might allow remote attackers to execute arbitrary code by leveraging failure to filter uploaded files. | |||||
| CVE-2017-14321 | 1 Mirasvit | 1 Helpdesk Mx | 2017-10-04 | 3.5 LOW | 5.4 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the administrative interface in Mirasvit Helpdesk MX before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) customer name or (2) subject in a ticket. | |||||
| CVE-2017-14865 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer overflow in the Exiv2::us2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. | |||||
| CVE-2017-14866 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer overflow in the Exiv2::s2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. | |||||
| CVE-2017-14857 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Exiv2 0.26, there is an invalid free in the Image class in image.cpp that leads to a Segmentation fault. A crafted input will lead to a denial of service attack. | |||||
| CVE-2017-14858 | 1 Exiv2 | 1 Exiv2 | 2017-10-04 | 4.3 MEDIUM | 5.5 MEDIUM |
| There is a heap-based buffer overflow in the Exiv2::l2Data function of types.cpp in Exiv2 0.26. A Crafted input will lead to a denial of service attack. | |||||
| CVE-2015-1849 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2017-10-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled. | |||||
| CVE-2015-5248 | 1 Redhat | 1 Feedhenry Enterprise Mobile Application Platform | 2017-10-04 | 4.3 MEDIUM | 6.5 MEDIUM |
| Reflected file download vulnerability in Red Hat Feedhenry Enterprise Mobile Application Platform. | |||||
| CVE-2017-14615 | 1 Watchguard | 1 Fireware | 2017-10-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. When a failed login attempt is made to the login endpoint of the XML-RPC interface, if JavaScript code, properly encoded to be consumed by XML parsers, is embedded as value of the user element, the code will be rendered in the context of any logged in user in the Web UI visiting "Traffic Monitor" sections "Events" and "All." As a side effect, no further events will be visible in the Traffic Monitor until the device is restarted. | |||||
| CVE-2017-14616 | 1 Watchguard | 1 Fireware | 2017-10-04 | 7.8 HIGH | 7.5 HIGH |
| An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. If a login attempt is made in the XML-RPC interface with an XML message containing an empty member element, the wgagent crashes, logging out any user with a session opened in the UI. By continuously executing the failed login attempts, UI management of the device becomes impossible. | |||||
| CVE-2016-10511 | 1 Twitter | 1 Twitter | 2017-10-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The Twitter iOS client versions 6.62 and 6.62.1 fail to validate Twitter's server certificates for the /1.1/help/settings.json configuration endpoint, permitting man-in-the-middle attackers the ability to view an application-only OAuth client token and potentially enable unreleased Twitter iOS app features. | |||||
| CVE-2015-5284 | 1 Freeipa | 1 Freeipa | 2017-10-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate and private key in /etc/httpd/alias/kra-agent.pem, which is world readable. | |||||
| CVE-2008-0680 | 1 Microtik | 1 Routeros | 2017-10-04 | 7.8 HIGH | N/A |
| SNMPd in MikroTik RouterOS 3.2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP SET request. | |||||
| CVE-2009-1071 | 1 Randomsoftware | 1 Icarus | 2017-10-04 | 9.3 HIGH | N/A |
| Stack-based buffer overflow in Icarus 2.0 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted Portable Game Notation (.pgn) file. | |||||
| CVE-2017-0605 | 2017-10-04 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2017-7374 | 1 Linux | 1 Linux Kernel | 2017-10-04 | 7.2 HIGH | 7.8 HIGH |
| Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely. | |||||
| CVE-2017-9607 | 1 Arm | 1 Arm-trusted-firmware | 2017-10-03 | 5.1 MEDIUM | 7.0 HIGH |
| The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might allow attackers to write arbitrary data to secure memory, bypass the bl1_plat_mem_check protection mechanism, cause a denial of service, or possibly have unspecified other impact via a crafted AArch32 image, which triggers an integer overflow. | |||||
| CVE-2017-6272 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2017-10-03 | 7.2 HIGH | 7.8 HIGH |
| NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where a value passed from a user to the driver is not correctly validated and used as the index to an array which may lead to a denial of service or possible escalation of privileges. | |||||
| CVE-2017-14927 | 1 Freedesktop | 1 Poppler | 2017-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| In Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutputDev::type3D0() function in SplashOutputDev.cc via a crafted PDF document. | |||||
| CVE-2010-3049 | 1 Cisco | 1 Ios | 2017-10-03 | 4.9 MEDIUM | 5.5 MEDIUM |
| Cisco IOS before 12.2(33)SXI allows local users to cause a denial of service (device reboot). | |||||
| CVE-2010-3050 | 1 Cisco | 1 Ios | 2017-10-03 | 6.8 MEDIUM | 6.5 MEDIUM |
| Cisco IOS before 12.2(33)SXI allows remote authenticated users to cause a denial of service (device reboot). | |||||
| CVE-2017-1551 | 1 Ibm | 1 Api Connect | 2017-10-03 | 5.8 MEDIUM | 6.1 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.7.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 131291. | |||||
| CVE-2015-3887 | 1 Proxychains-ng Project | 1 Proxychains-ng | 2017-10-03 | 7.2 HIGH | 7.8 HIGH |
| Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referenced in the LD_PRELOAD path. | |||||
| CVE-2017-14940 | 1 Gnu | 1 Binutils | 2017-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file. | |||||
| CVE-2017-14125 | 1 Wpdevart | 1 Responsive Image Gallery Gallery Album | 2017-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL injection vulnerability in the Responsive Image Gallery plugin before 1.2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "id" parameter in an add_edit_theme task in the wpdevart_gallery_themes page to wp-admin/admin.php. | |||||
| CVE-2017-14647 | 1 Bento4 | 1 Bento4 | 2017-10-03 | 6.8 MEDIUM | 8.8 HIGH |
| A heap-based buffer overflow was discovered in AP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento4 1.5.0-617. The vulnerability causes an out-of-bounds write, which leads to remote denial of service or possibly code execution. | |||||
| CVE-2017-14652 | 1 Tapatalk | 1 Tapatalk | 2017-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tapatalk plugin before 4.5.8 for MyBB allows an unauthenticated remote attacker to inject arbitrary SQL commands via an XML-RPC encoded document sent as part of the user registration process. | |||||
| CVE-2017-14692 | 1 Stdutility | 1 Stdu Viewer | 2017-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause a denial of service via a crafted .jb2 file, related to a "User Mode Write AV starting at STDUJBIG2File!DllGetClassObject+0x000000000000653b." | |||||
| CVE-2017-14688 | 1 Stdutility | 1 Stdu Viewer | 2017-10-03 | 4.6 MEDIUM | 7.8 HIGH |
| STDU Viewer 1.6.375 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .djvu file, related to a "Read Access Violation starting at STDUDjVuFile!DllUnregisterServer+0x000000000000d917." | |||||
| CVE-2017-14680 | 1 Zkteco | 1 Zktime Web | 2017-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document. | |||||
| CVE-2017-13129 | 1 Zkteco | 1 Zktime Web | 2017-10-03 | 6.0 MEDIUM | 8.0 HIGH |
| Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens. | |||||
| CVE-2017-1555 | 1 Ibm | 1 Api Connect | 2017-10-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated user to generate an API token when not subscribed to the application plan. IBM X-Force ID: 131545. | |||||
| CVE-2017-1425 | 1 Ibm | 1 Business Process Manager | 2017-10-03 | 3.5 LOW | 5.4 MEDIUM |
| IBM Business Process Manager 8.0.1.1 and 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127478. | |||||
| CVE-2015-7318 | 1 Plone | 1 Plone | 2017-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses. | |||||
| CVE-2015-7315 | 1 Plone | 1 Plone | 2017-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator. | |||||