CVEs from 2017
Total
11,665
critical
critical 1,647
high
high 5,041
medium
medium 4,168
low
low 159
% Critical
14.1%
% with KEV
0.7%
% with exploit
9.8%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-10100 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: HTML Area). The supported version that is affected is 9.1.0. Easily exploitable … | |||
| CVE-2017-10097 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Reporting). Supported versions that are affected are 8.5.1 and 9.0.0. Easil… | |||
| CVE-2017-10092 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerabil… | |||
| CVE-2017-10083 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Infrastructure). Supported versions that are affected are 11.3.0, 11.4.0, 12.… | |||
| CVE-2017-10082 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerabil… | |||
| CVE-2017-10080 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Security). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerabil… | |||
| CVE-2017-10079 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Hospitality Suites Management component of Oracle Hospitality Applications (subcomponent: Core). The supported version that is affected is 3.7. Easily exploitable vulnerab… | |||
| CVE-2017-10070 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub component of Oracle PeopleSoft Products (subcomponent: Maintenance Folders). The supported version that is affected is 9.1.0. Easily ex… | |||
| CVE-2017-10064 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Hospitality WebSuite8 Cloud Service component of Oracle Hospitality Applications (subcomponent: General). Supported versions that are affected are 8.9.6 and 8.10.x. Easily exploi… | |||
| CVE-2017-10052 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: PCMServlet). Supported versions that are affected are 9.3.5 and 9.3.6. Easily exploitable vulnerab… | |||
| CVE-2017-10049 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Siebel Core CRM component of Oracle Siebel CRM (subcomponent: Search). Supported versions that are affected are 16.0 and 17.0. Easily exploitable vulnerability allows unauthentic… | |||
| CVE-2017-10021 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: PIA Search). Supported versions that are affected are 8.54 and 8.55. Easily exploitable v… | |||
| CVE-2017-10017 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Workcenter). Supported versions that are affected are 8.54 and 8.55. Easily exploitable v… | |||
| CVE-2017-10005 | medium | 6.1 | 6.1 | 9y ago | Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Miscellaneous). Supported versions that are affected are 2.0.0, 2.0.1, 2.2.0 an… | |||
| CVE-2017-12677 | medium | 6.1 | 6.1 | 9y ago | IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the Iden… | |||
| CVE-2017-12655 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the query parameter to log.php in a dailylog action. | |||
| CVE-2017-12649 | medium | 6.1 | 6.1 | 9y ago | Liferay Portal Vulnerable to XSS via Mishandled Title or Summary in the Web Content Display | |||
| CVE-2017-12648 | medium | 6.1 | 6.1 | 9y ago | Liferay Portal XSS Vulnerability | |||
| CVE-2017-12647 | medium | 6.1 | 6.1 | 9y ago | Liferay Portal Vulnerable to XSS via a Knowledge Base Article Title | |||
| CVE-2017-12646 | medium | 6.1 | 6.1 | 9y ago | Liferay Portal XSS Vulnerability | |||
| CVE-2017-12645 | medium | 6.1 | 6.1 | 9y ago | Liferay Portal Vulnerable to XSS via an Invalid portletId | |||
| CVE-2017-6765 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based management interface of Cisco Adaptive Security Appliance (ASA) 9.1(6.11) and 9.4(1.2) could allow an unauthenticated, remote attacker to conduct a cross-site scripti… | |||
| CVE-2017-6762 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based management interface of Cisco Jabber Guest Server 10.6(9), 11.0(0), and 11.0(1) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS… | |||
| CVE-2017-6761 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web-based management interface of Cisco Finesse 10.6(1) and 11.5(1) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a use… | |||
| CVE-2017-12583 | medium | 6.1 | 6.1 | 9y ago | DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE_AT variable) to doku.php. | |||
| CVE-2017-12413 | medium | 6.1 | 6.1 | 9y ago | AXIS 2100 devices 2.43 have XSS via the URI, possibly related to admin/admin.shtml. | |||
| CVE-2017-1327 | medium | 6.1 | 6.1 | 9y ago | IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially lea… | |||
| CVE-2017-9467 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote… | |||
| CVE-2017-9459 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the management web interface in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7.0.16, 7.1.x before 7.1.11, and 8.x before 8.0.3 allows remote attacke… | |||
| CVE-2017-9244 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the Trello app before 4.0.8 for iOS might allow remote attackers to inject arbitrary web script or HTML by uploading and attaching a crafted photo to a Car… | |||
| CVE-2017-2285 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Simple Custom CSS and JS prior to version 3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-2284 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in Popup Maker prior to version 1.6.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2017-12200 | medium | 6.1 | 6.1 | 9y ago | The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has XSS in the Add Product Manually component. | |||
| CVE-2017-12139 | medium | 6.1 | 6.1 | 9y ago | XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing MIME type validation in htdocs/class/uploader.php. | |||
| CVE-2017-12138 | medium | 6.1 | 6.1 | 9y ago | XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /modules/profile/index.php because of the URL filter. | |||
| CVE-2017-1500 | medium | 6.1 | 6.1 | 9y ago | A Reflected Cross Site Scripting (XSS) vulnerability exists in the authorization function exposed by RESTful Web Api of IBM Worklight Framework 6.1, 6.2, 6.3, 7.0, 7.1, and 8.0. The vulnerable parame… | |||
| CVE-2017-12062 | medium | 6.1 | 6.1 | 9y ago | MantisBT vulnerable to XSS via unsanitized filter field in manage_user_page.php | |||
| CVE-2017-12061 | medium | 6.1 | 6.1 | 9y ago | MantisBT XSS allows unsanitized input via admin/install.php | |||
| CVE-2017-12131 | medium | 6.1 | 6.1 | 9y ago | The Easy Testimonials plugin 3.0.4 for WordPress has XSS in include/settings/display.options.php, as demonstrated by the Default Testimonials Width, View More Testimonials Link, and Testimonial Excer… | |||
| CVE-2017-12068 | medium | 6.1 | 6.1 | 9y ago | The Event List plugin 0.7.9 for WordPress has XSS in the slug array parameter to wp-admin/admin.php in an el_admin_categories delete_bulk action. | |||
| CVE-2017-11727 | medium | 6.1 | 6.1 | 9y ago | services/system_io/actionprocessor/Contact.rails in ConnectWise Manage 2017.5 allows arbitrary client-side JavaScript code execution (involving a ContactCommon field) on victims who click on a crafte… | |||
| CVE-2017-1332 | medium | 6.1 | 6.1 | 9y ago | IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially lea… | |||
| CVE-2017-1303 | medium | 6.1 | 6.1 | 9y ago | IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus alteri… | |||
| CVE-2017-11744 | medium | 6.1 | 6.1 | 9y ago | In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when t… | |||
| CVE-2017-11737 | medium | 6.1 | 6.1 | 9y ago | interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page. | |||
| CVE-2017-6259 | medium | 6.1 | 6.1 | 9y ago | NVIDIA GPU Display Driver contains a vulnerability in the kernel mode layer handler where an incorrect detection and recovery from an invalid state produced by specific user actions may lead to denia… | |||
| CVE-2017-11718 | medium | 6.1 | 6.1 | 9y ago | There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php. | |||
| CVE-2017-11716 | medium | 6.1 | 6.1 | 9y ago | MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode. | |||
| CVE-2017-11687 | medium | 6.1 | 6.1 | 9y ago | Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitr… | |||
| CVE-2017-11686 | medium | 6.1 | 6.1 | 9y ago | Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the p… | |||
| CVE-2017-11685 | medium | 6.1 | 6.1 | 9y ago | Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web… | |||
| CVE-2017-11682 | medium | 6.1 | 6.1 | 9y ago | Stored Cross-site scripting vulnerability in Hashtopussy 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) version, (2) url, or (3) rootdir parameter in hashcat.php. | |||
| CVE-2017-11677 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Hashtopus 1.5g allows remote attackers to inject arbitrary web script or HTML via the query string to admin.php. | |||
| CVE-2017-11666 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the file previewer plugin in Kopano WebApp versions 3.3.0 and earlier allows remote attackers to inject arbitrary web script or HTML v… | |||
| CVE-2017-11612 | medium | 6.1 | 6.1 | 9y ago | In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. | |||
| CVE-2017-11651 | medium | 6.1 | 6.1 | 9y ago | NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url tag. | |||
| CVE-2017-11629 | medium | 6.1 | 6.1 | 9y ago | dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. | |||
| CVE-2017-6755 | medium | 6.1 | 6.1 | 9y ago | A vulnerability in the web portal of the Cisco Prime Collaboration Provisioning (PCP) Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a use… | |||
| CVE-2017-11460 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter … | |||
| CVE-2017-11458 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, a… | |||
| CVE-2017-11617 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both sin… | |||
| CVE-2017-10711 | medium | 6.1 | 6.1 | 9y ago | In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka the Send Password Reset Email form) can insert XSS sequences via the user parameter. | |||
| CVE-2017-11593 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus extension before 0.5.7 for Chrome allows remote attackers to inject arbitrary web script or HTML into some web applications via t… | |||
| CVE-2017-11586 | medium | 6.1 | 6.1 | 9y ago | dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. | |||
| CVE-2017-11581 | medium | 6.1 | 6.1 | 9y ago | dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. | |||
| CVE-2017-2274 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vect… | |||
| CVE-2017-11516 | medium | 6.1 | 6.1 | 9y ago | Yii Cross-site Scripting Framework vulnerability | |||
| CVE-2017-9931 | medium | 6.1 | 6.1 | 9y ago | Cross-Site Scripting (XSS) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by the action parameter to ajax.cgi. | |||
| CVE-2017-11503 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting in PHPMailer | |||
| CVE-2017-0378 | medium | 6.1 | 6.1 | 9y ago | XSS exists in the login_form function in views/helpers.php in Phamm before 0.6.7, exploitable via the PATH_INFO to main.php. | |||
| CVE-2017-7059 | medium | 6.1 | 6.1 | 9y ago | A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" compon… | |||
| CVE-2017-7038 | medium | 6.1 | 6.1 | 9y ago | A DOMParser XSS issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" compon… | |||
| CVE-2017-10676 | medium | 6.1 | 6.1 | 9y ago | On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter. | |||
| CVE-2017-1223 | medium | 6.1 | 6.1 | 9y ago | IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker c… | |||
| CVE-2017-1203 | medium | 6.1 | 6.1 | 9y ago | IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web … | |||
| CVE-2017-9764 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in… | |||
| CVE-2017-10801 | medium | 6.1 | 6.1 | 9y ago | phpSocial (formerly phpDolphin) before 3.0.1 has XSS in the PATH_INFO to the search/tag/ URI. | |||
| CVE-2017-10962 | medium | 6.1 | 6.1 | 9y ago | REDCap before 7.5.1 has XSS via the query string. | |||
| CVE-2017-9934 | medium | 6.1 | 6.1 | 9y ago | Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability. | |||
| CVE-2017-8896 | medium | 6.1 | 6.1 | 9y ago | ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters. | |||
| CVE-2017-7663 | medium | 6.1 | 6.1 | 9y ago | Apache OpenMeetings Cross-site Scripting vulnerability | |||
| CVE-2017-3103 | medium | 6.1 | 6.1 | 9y ago | Adobe Connect versions 9.6.1 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to a stored cross-site scripting attack. | |||
| CVE-2017-3102 | medium | 6.1 | 6.1 | 9y ago | Adobe Connect versions 9.6.1 and earlier have a reflected cross-site scripting vulnerability. Successful exploitation could lead to a reflected cross-site scripting attack. | |||
| CVE-2017-1000078 | medium | 6.1 | 6.1 | 9y ago | Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registration | |||
| CVE-2017-1000070 | medium | 6.1 | 6.1 | 9y ago | Open Redirect in oauth2_proxy | |||
| CVE-2017-1000065 | medium | 6.1 | 6.1 | 9y ago | Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in OpenMediaVault release 2.1 in Access Rights Management(Users) functionality allows attackers to inject arbitrary web scripts and exec… | |||
| CVE-2017-1000063 | medium | 6.1 | 6.1 | 9y ago | kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 page resulting in information disclosure | |||
| CVE-2017-1000059 | medium | 6.1 | 6.1 | 9y ago | Live Helper Chat version 2.06v and older is vulnerable to Cross-Site Scripting in the HTTP Header handling resulting in the execution of any user provided Javascript code in the session of other user… | |||
| CVE-2017-1000058 | medium | 6.1 | 6.1 | 9y ago | Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data parser. | |||
| CVE-2017-1000054 | medium | 6.1 | 6.1 | 9y ago | Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages. | |||
| CVE-2017-1000051 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in pad export in XWiki labs CryptPad before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the pad content | |||
| CVE-2017-1000038 | medium | 6.1 | 6.1 | 9y ago | WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site | |||
| CVE-2017-1000035 | medium | 6.1 | 6.1 | 9y ago | Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack | |||
| CVE-2017-1000033 | medium | 6.1 | 6.1 | 9y ago | Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user. | |||
| CVE-2017-1000032 | medium | 6.1 | 6.1 | 9y ago | Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sourc… | |||
| CVE-2017-1000027 | medium | 6.1 | 6.1 | 9y ago | Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access. | |||
| CVE-2017-1000015 | medium | 6.1 | 6.1 | 9y ago | phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters | |||
| CVE-2017-1000013 | medium | 6.1 | 6.1 | 9y ago | phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness | |||
| CVE-2017-1000012 | medium | 6.1 | 6.1 | 9y ago | MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user | |||
| CVE-2017-1000011 | medium | 6.1 | 6.1 | 9y ago | MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information |