CVEs from 2017
Total
11,979
critical
critical 1,647
high
high 5,043
medium
medium 4,165
low
low 159
% Critical
13.7%
% with KEV
0.7%
% with exploit
0.7%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 490
- asterisk 435
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2017-17107 | critical | 9.8 | 9.8 | 9y ago | Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to acces… | |
| CVE-2017-17106 | critical | 9.8 | 9.8 | 9y ago | Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerabil… | |
| CVE-2017-17105 | critical | 9.8 | 9.8 | 9y ago | Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the w… | |
| CVE-2017-16949 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file … | |
| CVE-2017-15877 | critical | 9.8 | 9.8 | 9y ago | Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database. | |
| CVE-2017-15875 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in Password Recovery in GPWeb 8.4.61 allows remote attackers to execute arbitrary SQL commands via the "checkemail" parameter. | |
| CVE-2017-17721 | critical | 9.8 | 9.8 | 9y ago | CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorde… | |
| CVE-2017-17651 | critical | 9.8 | 9.8 | 9y ago | Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter. | |
| CVE-2017-17645 | critical | 9.8 | 9.8 | 9y ago | Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php. | |
| CVE-2017-17643 | critical | 9.8 | 9.8 | 9y ago | FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/. | |
| CVE-2017-17739 | critical | 9.8 | 9.8 | 9y ago | The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files. | |
| CVE-2017-17735 | critical | 9.8 | 9.8 | 9y ago | CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in cookies. | |
| CVE-2017-17734 | critical | 9.8 | 9.8 | 9y ago | CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login information in sessions. | |
| CVE-2017-17733 | critical | 9.8 | 9.8 | 9y ago | Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request. | |
| CVE-2017-17731 | critical | 9.8 | 9.8 | 9y ago | DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. | |
| CVE-2017-17730 | critical | 9.8 | 9.8 | 9y ago | DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. | |
| CVE-2017-17717 | critical | 9.8 | 9.8 | 9y ago | Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature. | |
| CVE-2017-17713 | critical | 9.8 | 9.8 | 9y ago | Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter,… | |
| CVE-2017-3195 | critical | 9.8 | 9.8 | 9y ago | Commvault Edge Communication Service (cvd) prior to version 11 SP7 or version 11 SP6 with hotfix 590 is prone to a stack-based buffer overflow vulnerability that could lead to arbitrary code executio… | |
| CVE-2017-3192 | critical | 9.8 | 9.8 | 9y ago | D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 do not sufficiently protect administrator credentials. The tools_admin.asp page discloses the administrator password in base64 e… | |
| CVE-2017-3191 | critical | 9.8 | 9.8 | 9y ago | D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login … | |
| CVE-2017-3186 | critical | 9.8 | 9.8 | 9y ago | ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC use non-random default credentials across all devices. A remote attacker can take complete control of a dev… | |
| CVE-2017-3185 | critical | 9.8 | 9.8 | 9y ago | ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such… | |
| CVE-2017-3184 | critical | 9.8 | 9.8 | 9y ago | ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit… | |
| CVE-2017-10904 | critical | 9.8 | 9.8 | 9y ago | Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. | |
| CVE-2017-17701 | critical | 9.8 | 9.8 | 9y ago | K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025c8 DeviceIoControl request. | |
| CVE-2017-17700 | critical | 9.8 | 9.8 | 9y ago | K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025a4 DeviceIoControl request. | |
| CVE-2017-17699 | critical | 9.8 | 9.8 | 9y ago | K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025ac DeviceIoControl request. | |
| CVE-2017-14101 | critical | 9.8 | 9.8 | 9y ago | A security researcher found an XML External Entity (XXE) vulnerability on the Conserus Image Repository archive solution version 2.1.1.105 by McKesson Medical Imaging Company, which is now a Change H… | |
| CVE-2017-17672 | critical | 9.8 | 9.8 | 9y ago | In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage o… | |
| CVE-2017-17671 | critical | 9.8 | 9.8 | 9y ago | vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify … | |
| CVE-2017-17648 | critical | 9.8 | 9.8 | 9y ago | Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter. | |
| CVE-2017-17642 | critical | 9.8 | 9.8 | 9y ago | Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job. | |
| CVE-2017-17641 | critical | 9.8 | 9.8 | 9y ago | Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter. | |
| CVE-2017-17640 | critical | 9.8 | 9.8 | 9y ago | Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter. | |
| CVE-2017-17639 | critical | 9.8 | 9.8 | 9y ago | Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter. | |
| CVE-2017-17638 | critical | 9.8 | 9.8 | 9y ago | Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter. | |
| CVE-2017-17637 | critical | 9.8 | 9.8 | 9y ago | Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter. | |
| CVE-2017-17636 | critical | 9.8 | 9.8 | 9y ago | MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter. | |
| CVE-2017-17635 | critical | 9.8 | 9.8 | 9y ago | MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter. | |
| CVE-2017-17634 | critical | 9.8 | 9.8 | 9y ago | Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. | |
| CVE-2017-17633 | critical | 9.8 | 9.8 | 9y ago | Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter. | |
| CVE-2017-17632 | critical | 9.8 | 9.8 | 9y ago | Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. | |
| CVE-2017-17631 | critical | 9.8 | 9.8 | 9y ago | Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter. | |
| CVE-2017-17630 | critical | 9.8 | 9.8 | 9y ago | Yoga Class Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17629 | critical | 9.8 | 9.8 | 9y ago | Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter. | |
| CVE-2017-17628 | critical | 9.8 | 9.8 | 9y ago | Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter. | |
| CVE-2017-17627 | critical | 9.8 | 9.8 | 9y ago | Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter. | |
| CVE-2017-17626 | critical | 9.8 | 9.8 | 9y ago | Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter. | |
| CVE-2017-17625 | critical | 9.8 | 9.8 | 9y ago | Professional Service Script 1.0 has SQL Injection via the service-list city parameter. | |
| CVE-2017-17624 | critical | 9.8 | 9.8 | 9y ago | PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter. | |
| CVE-2017-17623 | critical | 9.8 | 9.8 | 9y ago | Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter. | |
| CVE-2017-17622 | critical | 9.8 | 9.8 | 9y ago | Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter. | |
| CVE-2017-17621 | critical | 9.8 | 9.8 | 9y ago | Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI. | |
| CVE-2017-17620 | critical | 9.8 | 9.8 | 9y ago | Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter. | |
| CVE-2017-17619 | critical | 9.8 | 9.8 | 9y ago | Laundry Booking Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17618 | critical | 9.8 | 9.8 | 9y ago | Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php projid parameter. | |
| CVE-2017-17617 | critical | 9.8 | 9.8 | 9y ago | Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.php q parameter. | |
| CVE-2017-17616 | critical | 9.8 | 9.8 | 9y ago | Event Search Script 1.0 has SQL Injection via the /event-list city parameter. | |
| CVE-2017-17614 | critical | 9.8 | 9.8 | 9y ago | Food Order Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17613 | critical | 9.8 | 9.8 | 9y ago | Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.php pr_id parameter or the searchbycat_list.php catid parameter. | |
| CVE-2017-17612 | critical | 9.8 | 9.8 | 9y ago | Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter. | |
| CVE-2017-17611 | critical | 9.8 | 9.8 | 9y ago | Doctor Search Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17610 | critical | 9.8 | 9.8 | 9y ago | E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter. | |
| CVE-2017-17609 | critical | 9.8 | 9.8 | 9y ago | Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter. | |
| CVE-2017-17608 | critical | 9.8 | 9.8 | 9y ago | Child Care Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17607 | critical | 9.8 | 9.8 | 9y ago | CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-detail. | |
| CVE-2017-17606 | critical | 9.8 | 9.8 | 9y ago | Co-work Space Search Script 1.0 has SQL Injection via the /list city parameter. | |
| CVE-2017-17605 | critical | 9.8 | 9.8 | 9y ago | Consumer Complaints Clone Script 1.0 has SQL Injection via the other-user-profile.php id parameter. | |
| CVE-2017-17604 | critical | 9.8 | 9.8 | 9y ago | Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker_details.php sourcebus parameter. | |
| CVE-2017-17603 | critical | 9.8 | 9.8 | 9y ago | Advanced Real Estate Script 4.0.7 has SQL Injection via the search-results.php Projectmain, proj_type, searchtext, sell_price, or maxprice parameter. | |
| CVE-2017-17602 | critical | 9.8 | 9.8 | 9y ago | Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-detail.php show_id or view-product.php pid parameter. | |
| CVE-2017-17601 | critical | 9.8 | 9.8 | 9y ago | Cab Booking Script 1.0 has SQL Injection via the /service-list city parameter. | |
| CVE-2017-17600 | critical | 9.8 | 9.8 | 9y ago | Basic B2B Script 2.0.8 has SQL Injection via the product_details.php id parameter. | |
| CVE-2017-17599 | critical | 9.8 | 9.8 | 9y ago | Advance Online Learning Management Script 3.1 has SQL Injection via the courselist.php subcatid or popcourseid parameter. | |
| CVE-2017-17598 | critical | 9.8 | 9.8 | 9y ago | Affiliate MLM Script 1.0 has SQL Injection via the product-category.php key parameter. | |
| CVE-2017-17597 | critical | 9.8 | 9.8 | 9y ago | Nearbuy Clone Script 3.2 has SQL Injection via the category_list.php search parameter. | |
| CVE-2017-17596 | critical | 9.8 | 9.8 | 9y ago | Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsearch_all.php rid1 parameter. | |
| CVE-2017-17595 | critical | 9.8 | 9.8 | 9y ago | Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gender or city parameter. | |
| CVE-2017-17594 | critical | 9.8 | 9.8 | 9y ago | DomainSale PHP Script 1.0 has SQL Injection via the domain.php id parameter. | |
| CVE-2017-17592 | critical | 9.8 | 9.8 | 9y ago | Website Auction Marketplace 2.0.5 has SQL Injection via the search.php cat_id parameter. | |
| CVE-2017-17591 | critical | 9.8 | 9.8 | 9y ago | Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single-cause.php pid parameter. | |
| CVE-2017-17590 | critical | 9.8 | 9.8 | 9y ago | FS Stackoverflow Clone 1.0 has SQL Injection via the /question keywords parameter. | |
| CVE-2017-17589 | critical | 9.8 | 9.8 | 9y ago | FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php cat parameter or the browse-scategory.php sc parameter. | |
| CVE-2017-17588 | critical | 9.8 | 9.8 | 9y ago | FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter. | |
| CVE-2017-17587 | critical | 9.8 | 9.8 | 9y ago | FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter. | |
| CVE-2017-17586 | critical | 9.8 | 9.8 | 9y ago | FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter. | |
| CVE-2017-17585 | critical | 9.8 | 9.8 | 9y ago | FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter. | |
| CVE-2017-17584 | critical | 9.8 | 9.8 | 9y ago | FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter. | |
| CVE-2017-17583 | critical | 9.8 | 9.8 | 9y ago | FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter. | |
| CVE-2017-17582 | critical | 9.8 | 9.8 | 9y ago | FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter. | |
| CVE-2017-17581 | critical | 9.8 | 9.8 | 9y ago | FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter. | |
| CVE-2017-17580 | critical | 9.8 | 9.8 | 9y ago | FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter. | |
| CVE-2017-17579 | critical | 9.8 | 9.8 | 9y ago | FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter. | |
| CVE-2017-17578 | critical | 9.8 | 9.8 | 9y ago | FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter. | |
| CVE-2017-17577 | critical | 9.8 | 9.8 | 9y ago | FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter. | |
| CVE-2017-17576 | critical | 9.8 | 9.8 | 9y ago | FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter. | |
| CVE-2017-17575 | critical | 9.8 | 9.8 | 9y ago | FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter. | |
| CVE-2017-17574 | critical | 9.8 | 9.8 | 9y ago | FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter. | |
| CVE-2017-17573 | critical | 9.8 | 9.8 | 9y ago | FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter. |