CVEs from 2017
Total
11,681
critical
critical 1,647
high
high 5,041
medium
medium 4,168
low
low 159
% Critical
14.1%
% with KEV
0.7%
% with exploit
9.8%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5404 | critical | — | 10.0 | — | multiple issues in thunderbird | |||
| CVE-2017-7783 | critical | — | 10.0 | — | If a long user name is used in a username/password combination in a site URL (such as " http://UserName:Password@example.com"), the resulting modal prompt will hang in a non-responsive state or crash… | |||
| CVE-2017-5447 | critical | — | 10.0 | — | An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This… | |||
| CVE-2017-5465 | critical | — | 10.0 | — | An out-of-bounds read while processing SVG content in "ConvolvePixel". This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could the… | |||
| CVE-2017-5375 | critical | — | 10.0 | — | multiple issues in thunderbird | |||
| CVE-2017-5415 | critical | — | 10.0 | — | An attack can use a blob URL and script to spoof an arbitrary addressbar URL prefaced by "blob:" as the protocol, leading to user confusion and further spoofing attacks. This vulnerability affects Fi… | |||
| CVE-2017-5124 | critical | — | 10.0 | — | multiple issues in chromium | |||
| CVE-2017-7494 | high | — | 10.0 | 3y ago | Samba contains a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share and then cause the server to load and execute it. | |||
| CVE-2017-8291 | high | — | 10.0 | 4y ago | Artifex Ghostscript allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile. | |||
| CVE-2017-9841 | critical | — | 10.0 | 4y ago | PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., exte… | |||
| CVE-2017-16651 | high | — | 10.0 | 5y ago | Roundcube Webmail contains a file disclosure vulnerability caused by insufficient input validation in conjunction with file-based attachment plugins, which are used by default. | |||
| CVE-2017-18001 | critical | 9.8 | 10.0 | 9y ago | Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, vi… | |||
| CVE-2017-17968 | critical | 9.8 | 10.0 | 9y ago | A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP respons… | |||
| CVE-2017-17932 | critical | 9.8 | 10.0 | 9y ago | A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on th… | |||
| CVE-2017-17875 | critical | 9.8 | 10.0 | 9y ago | The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via the id parameter in a view=category action. | |||
| CVE-2017-17873 | critical | 9.8 | 10.0 | 9y ago | Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via the PATH_INFO to the /p URI. | |||
| CVE-2017-17872 | critical | 9.8 | 10.0 | 9y ago | The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection via the id parameter in a view=category action. | |||
| CVE-2017-17871 | critical | 9.8 | 10.0 | 9y ago | The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL Injection via the an parameter in a view=tags action, or the ques-srch parameter. | |||
| CVE-2017-17870 | critical | 9.8 | 10.0 | 9y ago | The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the appid parameter in an entriessearch action. | |||
| CVE-2017-17849 | critical | 9.8 | 10.0 | 9y ago | A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. | |||
| CVE-2017-17411 | critical | 9.8 | 10.0 | 9y ago | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exis… | |||
| CVE-2017-17761 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered on Ichano AtHome IP Camera devices. The device runs the "noodles" binary - a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands. Th… | |||
| CVE-2017-17759 | critical | 9.8 | 10.0 | 9y ago | Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request… | |||
| CVE-2017-17105 | critical | 9.8 | 10.0 | 9y ago | Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the w… | |||
| CVE-2017-16949 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file … | |||
| CVE-2017-17721 | critical | 9.8 | 10.0 | 9y ago | CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorde… | |||
| CVE-2017-17651 | critical | 9.8 | 10.0 | 9y ago | Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter. | |||
| CVE-2017-17645 | critical | 9.8 | 10.0 | 9y ago | Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php. | |||
| CVE-2017-17643 | critical | 9.8 | 10.0 | 9y ago | FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/. | |||
| CVE-2017-17739 | critical | 9.8 | 10.0 | 9y ago | The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files. | |||
| CVE-2017-3195 | critical | 9.8 | 10.0 | 9y ago | Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability that could lead to arbitrary code executio… | |||
| CVE-2017-17672 | critical | 9.8 | 10.0 | 9y ago | In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage o… | |||
| CVE-2017-17648 | critical | 9.8 | 10.0 | 9y ago | Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter. | |||
| CVE-2017-17642 | critical | 9.8 | 10.0 | 9y ago | Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job. | |||
| CVE-2017-17641 | critical | 9.8 | 10.0 | 9y ago | Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter. | |||
| CVE-2017-17640 | critical | 9.8 | 10.0 | 9y ago | Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter. | |||
| CVE-2017-17639 | critical | 9.8 | 10.0 | 9y ago | Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter. | |||
| CVE-2017-17638 | critical | 9.8 | 10.0 | 9y ago | Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter. | |||
| CVE-2017-17637 | critical | 9.8 | 10.0 | 9y ago | Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter. | |||
| CVE-2017-17636 | critical | 9.8 | 10.0 | 9y ago | MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter. | |||
| CVE-2017-17635 | critical | 9.8 | 10.0 | 9y ago | MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter. | |||
| CVE-2017-17634 | critical | 9.8 | 10.0 | 9y ago | Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. | |||
| CVE-2017-17633 | critical | 9.8 | 10.0 | 9y ago | Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter. | |||
| CVE-2017-17632 | critical | 9.8 | 10.0 | 9y ago | Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. | |||
| CVE-2017-17631 | critical | 9.8 | 10.0 | 9y ago | Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter. | |||
| CVE-2017-17630 | critical | 9.8 | 10.0 | 9y ago | Yoga Class Script 1.0 has SQL Injection via the /list city parameter. | |||
| CVE-2017-17629 | critical | 9.8 | 10.0 | 9y ago | Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter. | |||
| CVE-2017-17628 | critical | 9.8 | 10.0 | 9y ago | Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter. | |||
| CVE-2017-17627 | critical | 9.8 | 10.0 | 9y ago | Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter. | |||
| CVE-2017-17626 | critical | 9.8 | 10.0 | 9y ago | Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter. | |||
| CVE-2017-17625 | critical | 9.8 | 10.0 | 9y ago | Professional Service Script 1.0 has SQL Injection via the service-list city parameter. | |||
| CVE-2017-17624 | critical | 9.8 | 10.0 | 9y ago | PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter. | |||
| CVE-2017-17623 | critical | 9.8 | 10.0 | 9y ago | Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter. | |||
| CVE-2017-17622 | critical | 9.8 | 10.0 | 9y ago | Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter. | |||
| CVE-2017-17621 | critical | 9.8 | 10.0 | 9y ago | Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI. | |||
| CVE-2017-17620 | critical | 9.8 | 10.0 | 9y ago | Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter. | |||
| CVE-2017-17619 | critical | 9.8 | 10.0 | 9y ago | Laundry Booking Script 1.0 has SQL Injection via the /list city parameter. | |||
| CVE-2017-17618 | critical | 9.8 | 10.0 | 9y ago | Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php projid parameter. | |||
| CVE-2017-17617 | critical | 9.8 | 10.0 | 9y ago | Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.php q parameter. | |||
| CVE-2017-17616 | critical | 9.8 | 10.0 | 9y ago | Event Search Script 1.0 has SQL Injection via the /event-list city parameter. | |||
| CVE-2017-17614 | critical | 9.8 | 10.0 | 9y ago | Food Order Script 1.0 has SQL Injection via the /list city parameter. | |||
| CVE-2017-17613 | critical | 9.8 | 10.0 | 9y ago | Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.php pr_id parameter or the searchbycat_list.php catid parameter. | |||
| CVE-2017-17612 | critical | 9.8 | 10.0 | 9y ago | Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter. | |||
| CVE-2017-17611 | critical | 9.8 | 10.0 | 9y ago | Doctor Search Script 1.0 has SQL Injection via the /list city parameter. | |||
| CVE-2017-17610 | critical | 9.8 | 10.0 | 9y ago | E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter. | |||
| CVE-2017-17609 | critical | 9.8 | 10.0 | 9y ago | Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter. | |||
| CVE-2017-17608 | critical | 9.8 | 10.0 | 9y ago | Child Care Script 1.0 has SQL Injection via the /list city parameter. | |||
| CVE-2017-17607 | critical | 9.8 | 10.0 | 9y ago | CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-detail. | |||
| CVE-2017-17606 | critical | 9.8 | 10.0 | 9y ago | Co-work Space Search Script 1.0 has SQL Injection via the /list city parameter. | |||
| CVE-2017-17605 | critical | 9.8 | 10.0 | 9y ago | Consumer Complaints Clone Script 1.0 has SQL Injection via the other-user-profile.php id parameter. | |||
| CVE-2017-17604 | critical | 9.8 | 10.0 | 9y ago | Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker_details.php sourcebus parameter. | |||
| CVE-2017-17603 | critical | 9.8 | 10.0 | 9y ago | Advanced Real Estate Script 4.0.7 has SQL Injection via the search-results.php Projectmain, proj_type, searchtext, sell_price, or maxprice parameter. | |||
| CVE-2017-17602 | critical | 9.8 | 10.0 | 9y ago | Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-detail.php show_id or view-product.php pid parameter. | |||
| CVE-2017-17601 | critical | 9.8 | 10.0 | 9y ago | Cab Booking Script 1.0 has SQL Injection via the /service-list city parameter. | |||
| CVE-2017-17600 | critical | 9.8 | 10.0 | 9y ago | Basic B2B Script 2.0.8 has SQL Injection via the product_details.php id parameter. | |||
| CVE-2017-17599 | critical | 9.8 | 10.0 | 9y ago | Advance Online Learning Management Script 3.1 has SQL Injection via the courselist.php subcatid or popcourseid parameter. | |||
| CVE-2017-17598 | critical | 9.8 | 10.0 | 9y ago | Affiliate MLM Script 1.0 has SQL Injection via the product-category.php key parameter. | |||
| CVE-2017-17597 | critical | 9.8 | 10.0 | 9y ago | Nearbuy Clone Script 3.2 has SQL Injection via the category_list.php search parameter. | |||
| CVE-2017-17596 | critical | 9.8 | 10.0 | 9y ago | Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsearch_all.php rid1 parameter. | |||
| CVE-2017-17595 | critical | 9.8 | 10.0 | 9y ago | Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gender or city parameter. | |||
| CVE-2017-17594 | critical | 9.8 | 10.0 | 9y ago | DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter. | |||
| CVE-2017-17592 | critical | 9.8 | 10.0 | 9y ago | Website Auction Marketplace 2.0.5 has SQL Injection via the search.php cat_id parameter. | |||
| CVE-2017-17591 | critical | 9.8 | 10.0 | 9y ago | Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single-cause.php pid parameter. | |||
| CVE-2017-17590 | critical | 9.8 | 10.0 | 9y ago | FS Stackoverflow Clone 1.0 has SQL Injection via the /question keywords parameter. | |||
| CVE-2017-17589 | critical | 9.8 | 10.0 | 9y ago | FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php cat parameter or the browse-scategory.php sc parameter. | |||
| CVE-2017-17588 | critical | 9.8 | 10.0 | 9y ago | FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter. | |||
| CVE-2017-17587 | critical | 9.8 | 10.0 | 9y ago | FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter. | |||
| CVE-2017-17586 | critical | 9.8 | 10.0 | 9y ago | FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter. | |||
| CVE-2017-17585 | critical | 9.8 | 10.0 | 9y ago | FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter. | |||
| CVE-2017-17584 | critical | 9.8 | 10.0 | 9y ago | FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter. | |||
| CVE-2017-17583 | critical | 9.8 | 10.0 | 9y ago | FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter. | |||
| CVE-2017-17582 | critical | 9.8 | 10.0 | 9y ago | FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter. | |||
| CVE-2017-17581 | critical | 9.8 | 10.0 | 9y ago | FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter. | |||
| CVE-2017-17580 | critical | 9.8 | 10.0 | 9y ago | FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter. | |||
| CVE-2017-17579 | critical | 9.8 | 10.0 | 9y ago | FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter. | |||
| CVE-2017-17578 | critical | 9.8 | 10.0 | 9y ago | FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter. | |||
| CVE-2017-17577 | critical | 9.8 | 10.0 | 9y ago | FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter. | |||
| CVE-2017-17576 | critical | 9.8 | 10.0 | 9y ago | FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter. | |||
| CVE-2017-17575 | critical | 9.8 | 10.0 | 9y ago | FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter. | |||
| CVE-2017-17574 | critical | 9.8 | 10.0 | 9y ago | FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter. |