Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-3884 | 1 Qdpm | 1 Qdpm | 2017-03-20 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted file upload vulnerability in the (1) myAccount, (2) projects, (3) tasks, (4) tickets, (5) discussions, (6) reports, and (7) scheduler pages in qdPM 8.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/attachments/ or uploads/users/. | |||||
| CVE-2015-3883 | 1 Qdpm | 1 Qdpm | 2017-03-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in qdPM 8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) search[keywords] parameter to index.php/users page; the (2) "Name of application" on index.php/configuration; (3) a new project name on index.php/projects; (4) the task name on index.php/tasks; (5) ticket name on index.php/tickets; (6) discussion name on index.php/discussions; (7) report name on index.php/projectReports; or (8) event name on index.php/scheduler/personal. | |||||
| CVE-2014-8707 | 1 Pluck-cms | 1 Pluck | 2017-03-20 | 4.0 MEDIUM | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in TinyMCE in Pluck CMS 4.7.2 allows remote authenticated users to inject arbitrary web script or HTML via the "edit HTML source" option. | |||||
| CVE-2014-8723 | 1 Get-simple | 1 Getsimple Cms | 2017-03-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message. | |||||
| CVE-2017-2656 | 2017-03-18 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-6320. Reason: This candidate is a reservation duplicate of CVE-2016-6320. Notes: All CVE users should reference CVE-2016-6320 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2017-5620 | 1 Zammad | 1 Zammad | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An XSS issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attachments are opened in a new tab instead of getting downloaded. This creates an attack vector of executing code in the domain of the application. | |||||
| CVE-2017-5621 | 1 Zammad | 1 Zammad | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. XSS can be triggered via malicious HTML in a chat message or the content of a ticket article, when using either the REST API or the WebSocket API. | |||||
| CVE-2017-6534 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data (pssid) passed to the webpagetest-master/www/pss.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6535 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (benchmark, url) passed to the webpagetest-master/www/benchmarks/trendurl.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6536 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (url, pssid) passed to the webpagetest-master/www/weblite.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6537 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data (bgcolor) passed to the webpagetest-master/www/video/view.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6538 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data (video) passed to the webpagetest-master/www/speedindex/index.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6539 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (benchmark, time) passed to the webpagetest-master/www/benchmarks/delta.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6540 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (configs) passed to the webpagetest-master/www/benchmarks/compare.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6541 | 1 Webpagetest Project | 1 Webpagetest | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross-Site Scripting (XSS) issues were discovered in webpagetest 3.0. The vulnerabilities exist due to insufficient filtration of user-supplied data (benchmark, time) passed to the webpagetest-master/www/benchmarks/viewtest.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2017-6555 | 1 Cmsmadesimple | 1 Cms Made Simple | 2017-03-18 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php in CMS Made Simple 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the m1_description parameter (aka "Design Manager > Categories > Category Description"). | |||||
| CVE-2017-6556 | 1 Cmsmadesimple | 1 Cms Made Simple | 2017-03-18 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the "adminpage > sitesetting > General Settings > globalmetadata" field. | |||||
| CVE-2017-6804 | 2017-03-18 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2017-6808 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.faq.php (id parameter). | |||||
| CVE-2017-6809 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.donate.php (id parameter). | |||||
| CVE-2017-6810 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.fplinks.php (linkid parameter). | |||||
| CVE-2017-6811 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.shop.php (id parameter). | |||||
| CVE-2017-6812 | 1 Mangoswebv4 Project | 1 Mangoswebv4 | 2017-03-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in inc/admin/template_files/admin.vote.php (id parameter). | |||||
| CVE-2017-6902 | 2017-03-18 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2013-7460 | 1 Mcafee | 2 Application Control, Change Control | 2017-03-17 | 2.1 LOW | 5.5 MEDIUM |
| A write protection and execution bypass vulnerability in McAfee (now Intel Security) Application Control (MAC) 6.1.0 for Linux and earlier allows authenticated users to change binaries that are part of the Application Control whitelist and allows execution of binaries via specific conditions. | |||||
| CVE-2017-5937 | 1 Virglrenderer Project | 1 Virglrenderer | 2017-03-17 | 2.1 LOW | 6.5 MEDIUM |
| The util_format_is_pure_uint function in vrend_renderer.c in Virgil 3d project (aka virglrenderer) 0.6.0 and earlier allows local guest OS users to cause a denial of service (NULL pointer dereference) via a crafted VIRGL_CCMD_CLEAR command. | |||||
| CVE-2016-0770 | 1 Zahmit Design | 1 Connections Business Directory Plugin | 2017-03-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in includes/admin/pages/manage.php in the Connections Business Directory plugin before 8.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s variable. | |||||
| CVE-2015-8894 | 1 Imagemagick | 1 Imagemagick | 2017-03-17 | 4.3 MEDIUM | 5.5 MEDIUM |
| Double free vulnerability in coders/tga.c in ImageMagick 7.0.0 and later allows remote attackers to cause a denial of service (application crash) via a crafted tga file. | |||||
| CVE-2017-6367 | 1 Cerberusftp | 1 Ftp Server | 2017-03-17 | 5.0 MEDIUM | 7.5 HIGH |
| In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Windows service to crash. The attack methodology involves a long Host header and an invalid Content-Length header. | |||||
| CVE-2017-6061 | 1 Sap | 1 Businessobjects Financial Consolidation | 2017-03-16 | 4.3 MEDIUM | 4.7 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the help component of SAP BusinessObjects Financial Consolidation 10.0.0.1933 allows remote attackers to inject arbitrary web script or HTML via a GET request. /finance/help/en/frameset.htm is the URI for this component. The vendor response is SAP Security Note 2368106. | |||||
| CVE-2013-7461 | 1 Mcafee | 2 Application Control, Change Control | 2017-03-16 | 2.1 LOW | 5.5 MEDIUM |
| A write protection and execution bypass vulnerability in McAfee (now Intel Security) Change Control (MCC) 6.1.0 for Linux and earlier allows authenticated users to change files that are part of write protection rules via specific conditions. | |||||
| CVE-2017-6848 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-6840 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (invalid read) via a crafted file. | |||||
| CVE-2017-6841 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-6847 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-6055 | 1 Eparaksts | 1 Eparakstitajs 3 | 2017-03-16 | 6.8 MEDIUM | 7.8 HIGH |
| XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file. | |||||
| CVE-2017-6842 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-6844 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 6.8 MEDIUM | 7.8 HIGH |
| Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. | |||||
| CVE-2017-6843 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 6.8 MEDIUM | 7.8 HIGH |
| Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. | |||||
| CVE-2017-6849 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-6845 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2017-6443 | 1 Epson | 1 Tmnet Webconfig | 2017-03-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in EPSON TMNet WebConfig 1.00 allows remote attackers to inject arbitrary web script or HTML via the W_AD1 parameter to Forms/oadmin_1. | |||||
| CVE-2017-6846 | 1 Podofo Project | 1 Podofo | 2017-03-16 | 4.3 MEDIUM | 5.5 MEDIUM |
| The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. | |||||
| CVE-2016-9338 | 1 Rockwellautomation | 20 1763-l16awa Series A, 1763-l16awa Series B, 1763-l16bbb Series A and 17 more | 2017-03-16 | 4.0 MEDIUM | 2.7 LOW |
| An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller. | |||||
| CVE-2016-8363 | 1 Moxa | 28 Awk-1121, Awk-1121 Firmware, Awk-1127 and 25 more | 2017-03-16 | 7.5 HIGH | 10.0 CRITICAL |
| An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. User is able to execute arbitrary OS commands on the server. | |||||
| CVE-2016-9357 | 1 Eaton | 10 Eamaxx Series Epdu, Eamaxx Series Epdu Firmware, Eamxxx Series Epdu and 7 more | 2017-03-16 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in certain legacy Eaton ePDUs -- the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal). | |||||
| CVE-2016-9334 | 1 Rockwellautomation | 20 1763-l16awa Series A, 1763-l16awa Series B, 1763-l16bbb Series A and 17 more | 2017-03-16 | 5.0 MEDIUM | 7.3 HIGH |
| An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. User credentials are sent to the web server in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server. | |||||
| CVE-2016-8375 | 1 Bd | 1 Alaris 8015 Pc Unit | 2017-03-16 | 1.9 LOW | 4.9 MEDIUM |
| An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. | |||||
| CVE-2016-9355 | 1 Bd | 1 Alaris 8015 Pc Unit | 2017-03-16 | 2.1 LOW | 5.3 MEDIUM |
| An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience. | |||||
| CVE-2017-9999 | 2017-03-16 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was used as an example and was not assigned for a security issue. Notes: none. | |||||