CVEs from 2017
Total
11,796
critical
critical 1,647
high
high 5,043
medium
medium 4,165
low
low 159
% Critical
14.0%
% with KEV
0.7%
% with exploit
0.8%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2017-11494 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter in a login action. | |
| CVE-2017-12199 | critical | 9.8 | 9.8 | 9y ago | The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQL injection with these wp-admin/admin-ajax.php POST actions: catalogue_update_order list-item, video_update_order video-item, ima… | |
| CVE-2017-4923 | critical | 9.8 | 9.8 | 9y ago | VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure vulnerability. This issue may allow plaintext credentials to be obtained when using the vCenter Server Appliance file-ba… | |
| CVE-2017-11381 | critical | 9.8 | 9.8 | 9y ago | A command injection vulnerability exists in Trend Micro Deep Discovery Director 1.1 that allows an attacker to restore accounts that can access the pre-configuration console. | |
| CVE-2017-11380 | critical | 9.8 | 9.8 | 9y ago | Backup archives were found to be encrypted with a static password across different installations, which suggest the same password may be used in all virtual appliance instances of Trend Micro Deep Di… | |
| CVE-2017-11129 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The keystore is locked with a hard-coded password. Therefore, everyone with access to the keystore can read the content o… | |
| CVE-2017-12065 | critical | 9.8 | 9.8 | 9y ago | spikekill.php in Cacti before 1.1.16 might allow remote attackers to execute arbitrary code via the avgnan, outlier-start, or outlier-end parameter. | |
| CVE-2017-11757 | critical | 9.8 | 9.8 | 9y ago | Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code via crafted traffic to TCP port 1583. The overflow occurs after Server-Client … | |
| CVE-2017-11743 | critical | 9.8 | 9.8 | 9y ago | MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An attacker with knowledge of the hard-coded credential and the ability … | |
| CVE-2017-9521 | critical | 9.8 | 9.8 | 9y ago | The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmw… | |
| CVE-2017-9483 | critical | 9.8 | 9.8 | 9y ago | The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows Network Processor (NP) Linux users to obtain root access to the Application Processo… | |
| CVE-2017-9482 | critical | 9.8 | 9.8 | 9y ago | The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows remote attackers to obtain root access to the Network Processor (NP) Linux system by… | |
| CVE-2017-9479 | critical | 9.8 | 9.8 | 9y ago | The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST) devices allows remote attackers to execute arbitrary commands as root by leveraging local network a… | |
| CVE-2017-11720 | critical | 9.8 | 9.8 | 9y ago | There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file. | |
| CVE-2017-11715 | critical | 9.8 | 9.8 | 9y ago | job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .pht… | |
| CVE-2017-11645 | critical | 9.8 | 9.8 | 9y ago | NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1.8.8 / Bootloader: 1.1.3 do not require authentication for logfile.html, status.html, or system_config.html. | |
| CVE-2017-11184 | critical | 9.8 | 9.8 | 9y ago | SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 via the start parameter. | |
| CVE-2017-11673 | critical | 9.8 | 9.8 | 9y ago | Reporter.exe in Acunetix 8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed PRE file, related to a "User Mode Write AV starting at re… | |
| CVE-2017-11643 | critical | 9.8 | 9.8 | 9y ago | GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage() function in coders/cmyk.c when processing multiple frames that have non-identical widths. | |
| CVE-2017-11641 | critical | 9.8 | 9.8 | 9y ago | GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in magick/pixel_cache.c during writing of Magick Persistent Cache (MPC) files. | |
| CVE-2017-11637 | critical | 9.8 | 9.8 | 9y ago | GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLImage() function in coders/pcl.c during writes of monochrome images. | |
| CVE-2017-11636 | critical | 9.8 | 9.8 | 9y ago | GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage() function in coders/rgb.c when processing multiple frames that have non-identical widths. | |
| CVE-2017-11631 | critical | 9.8 | 9.8 | 9y ago | dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL injection via the id parameter. | |
| CVE-2017-11459 | critical | 9.8 | 9.8 | 9y ago | SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Not… | |
| CVE-2017-11614 | critical | 9.8 | 9.8 | 9y ago | MEDHOST Connex contains hard-coded credentials that are used for customer database access. An attacker with knowledge of the hard-coded credentials and the ability to communicate directly with the da… | |
| CVE-2017-11324 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of the backtick character, a SELECT query in class.SystemAction.php is vulnerable to SQL Injection. The vulnerability can be trigge… | |
| CVE-2017-11589 | critical | 9.8 | 9.8 | 9y ago | On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is no access control … | |
| CVE-2017-11588 | critical | 9.8 | 9.8 | 9y ago | On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is remote command exe… | |
| CVE-2017-11585 | critical | 9.8 | 9.8 | 9y ago | dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection. | |
| CVE-2017-11584 | critical | 9.8 | 9.8 | 9y ago | dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php. | |
| CVE-2017-11583 | critical | 9.8 | 9.8 | 9y ago | dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. | |
| CVE-2017-11582 | critical | 9.8 | 9.8 | 9y ago | dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php. | |
| CVE-2017-11543 | critical | 9.8 | 9.8 | 9y ago | tcpdump 4.9.0 has a buffer overflow in the sliplink_print function in print-sl.c. | |
| CVE-2017-11542 | critical | 9.8 | 9.8 | 9y ago | tcpdump 4.9.0 has a heap-based buffer over-read in the pimv1_print function in print-pim.c. | |
| CVE-2017-11541 | critical | 9.8 | 9.8 | 9y ago | tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c. | |
| CVE-2017-7336 | critical | 9.8 | 9.8 | 9y ago | A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and lower versions allows a remote attacker to log-in and execute commands with 'upgrade' account privileges. | |
| CVE-2017-3222 | critical | 9.8 | 9.8 | 9y ago | Hard-coded credentials in AmosConnect 8 allow remote attackers to gain full administrative privileges, including the ability to execute commands on the Microsoft Windows host platform with SYSTEM pri… | |
| CVE-2017-3221 | critical | 9.8 | 9.8 | 9y ago | Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote attackers to access user credentials, including user names and passwords. | |
| CVE-2017-2126 | critical | 9.8 | 9.8 | 9y ago | WAPM-1166D firmware Ver.1.2.7 and earlier, WAPM-APG600H firmware Ver.1.16.1 and earlier allows remote attackers to bypass authentication and access the configuration interface via unspecified vectors. | |
| CVE-2017-7480 | critical | 9.8 | 9.8 | 9y ago | rkhunter versions before 1.4.4 are vulnerable to file download over insecure channel when doing mirror update resulting into potential remote code execution. | |
| CVE-2017-11519 | critical | 9.8 | 9.8 | 9y ago | passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an attacker to reset the admin password by leveraging a predictable random number generator seed. This is fixed in C9(UN)_V2_170511. | |
| CVE-2017-11517 | critical | 9.8 | 9.8 | 9y ago | Stack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a long URI in a GET request. | |
| CVE-2017-9980 | critical | 9.8 | 9.8 | 9y ago | In Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the "PING" (aka tag_ipPing) feature within the web interface allows performing command injection, via the "pip" parameter. | |
| CVE-2017-9932 | critical | 9.8 | 9.8 | 9y ago | Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a default password of admin for the admin account. | |
| CVE-2017-11502 | critical | 9.8 | 9.8 | 9y ago | Technicolor DPC3928AD DOCSIS devices allow remote attackers to read arbitrary files via a request starting with "GET /../" on TCP port 4321. | |
| CVE-2017-11495 | critical | 9.8 | 9.8 | 9y ago | PHICOMM K2(PSG1218) devices V22.5.11.5 and earlier allow unauthenticated remote code execution via a request to an unspecified ASP script; alternatively, the attacker can leverage unauthenticated acc… | |
| CVE-2017-7062 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. macOS before 10.12.6 is affected. tvOS before 10.2.2 is affected. watchOS before 3.2.3 is affected. The issue involve… | |
| CVE-2017-6532 | critical | 9.8 | 9.8 | 9y ago | Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 have cleartext credentials in /mib.db. | |
| CVE-2017-6531 | critical | 9.8 | 9.8 | 9y ago | On Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20, the backup/restore feature lacks access control, related to ReadFile.cgi and LoadCfgFile. | |
| CVE-2017-6530 | critical | 9.8 | 9.8 | 9y ago | Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 do not check password.shtml authorization, leading to Arbitrary password change. | |
| CVE-2017-9785 | critical | 9.8 | 9.8 | 9y ago | Deserialization of Untrusted Data in NancyFX Nancy | |
| CVE-2017-11474 | critical | 9.8 | 9.8 | 9y ago | GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/computer_softwareversion.class.php, exploitable via ajax/common.tabs.php. | |
| CVE-2017-11471 | critical | 9.8 | 9.8 | 9y ago | IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php via the element parameter. | |
| CVE-2017-11470 | critical | 9.8 | 9.8 | 9y ago | IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php via the element parameter. | |
| CVE-2017-11467 | critical | 9.8 | 9.8 | 9y ago | OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection | |
| CVE-2017-11465 | critical | 9.8 | 9.8 | 9y ago | The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script… | |
| CVE-2017-7977 | critical | 9.8 | 9.8 | 9y ago | The Screensavercc component in eLux RP before 5.5.0 allows attackers to bypass intended configuration restrictions and execute arbitrary commands with root privileges by inserting commands in a local… | |
| CVE-2017-11445 | critical | 9.8 | 9.8 | 9y ago | Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/actions.php via the $_POST array. | |
| CVE-2017-11444 | critical | 9.8 | 9.8 | 9y ago | Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /front/search.php via the $_GET array. | |
| CVE-2017-11436 | critical | 9.8 | 9.8 | 9y ago | D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection. | |
| CVE-2017-11435 | critical | 9.8 | 9.8 | 9y ago | The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially crafted requests to the management console. The bug is exploitable remotely when the route… | |
| CVE-2017-11420 | critical | 9.8 | 9.8 | 9y ago | Stack-based buffer overflow in ASUS_Discovery.c in networkmap in Asuswrt-Merlin firmware for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-… | |
| CVE-2017-11419 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST['id'] and $_POST['art_title']. | |
| CVE-2017-11418 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET['cat'], $_GET['user'], $_GET['level'], and $_GET['iSortCol_'.$i]. | |
| CVE-2017-11417 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET['id']. | |
| CVE-2017-11416 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/insert.php via the name parameter. | |
| CVE-2017-11415 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article.php via $_POST['parent_id'], $_POST['desc'], $_POST['keys'], and $_POST['level']. | |
| CVE-2017-11414 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment.php via $_POST['comment'], $_POST['name'], $_POST['web'], $_POST['email'], $_POST['status'], $_POST['id'], and $_REQUEST['id']. | |
| CVE-2017-11413 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/comment_status.php via $_GET['id']. | |
| CVE-2017-11412 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/comment_status.php via $_GET['id']. | |
| CVE-2017-9811 | critical | 9.8 | 9.8 | 9y ago | The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine rea… | |
| CVE-2017-10984 | critical | 9.8 | 9.8 | 9y ago | An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary … | |
| CVE-2017-10979 | critical | 9.8 | 9.8 | 9y ago | An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows "Write overflow in rad_coalesce()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary c… | |
| CVE-2017-8011 | critical | 9.8 | 9.8 | 9y ago | EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SAS Solution Packs (EMC ViPR SRM prior to 4.1, EMC Storage M&R prior to 4.1, EMC VNX M&R all versions, EMC M&R (Watch4Net) for SAS Solution Pac… | |
| CVE-2017-7673 | critical | 9.8 | 9.8 | 9y ago | Apache OpenMeetings has Inadequate Encryption Strength | |
| CVE-2017-2345 | critical | 9.8 | 9.8 | 9y ago | On Junos OS devices with SNMP enabled, a network based attacker with unfiltered access to the RE can cause the Junos OS snmpd daemon to crash and restart by sending a crafted SNMP packet. Repeated cr… | |
| CVE-2017-2343 | critical | 9.8 | 9.8 | 9y ago | The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing fi… | |
| CVE-2017-11362 | critical | 9.8 | 9.8 | 9y ago | In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buff… | |
| CVE-2017-11354 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_article/sys_article.php via the name parameter in editing or adding a tag name. | |
| CVE-2017-11349 | critical | 9.8 | 9.8 | 9y ago | dataTaker DT8x dEX 1.72.007 allows remote attackers to compose programs or schedules, for purposes such as sending e-mail messages or making outbound connections to FTP servers for uploading data. | |
| CVE-2017-11346 | critical | 9.8 | 9.8 | 9y ago | Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos. | |
| CVE-2017-11329 | critical | 9.8 | 9.8 | 9y ago | GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.php request with an entity_restrict parameter that is not a list of integers. | |
| CVE-2017-10601 | critical | 9.8 | 9.8 | 9y ago | A specific device configuration can result in a commit failure condition. When this occurs, a user is logged in without being prompted for a password while trying to login through console, ssh, ftp, … | |
| CVE-2017-1000362 | critical | 9.8 | 9.8 | 9y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |
| CVE-2017-1000081 | critical | 9.8 | 9.8 | 9y ago | Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of applications (.oar) resulting in remote code execution. | |
| CVE-2017-1000075 | critical | 9.8 | 9.8 | 9y ago | Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the memcmp function | |
| CVE-2017-1000074 | critical | 9.8 | 9.8 | 9y ago | Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the string_repeat() function. | |
| CVE-2017-1000073 | critical | 9.8 | 9.8 | 9y ago | Creolabs Gravity version 1.0 is vulnerable to a heap overflow in an undisclosed component that can result in arbitrary code execution. | |
| CVE-2017-1000072 | critical | 9.8 | 9.8 | 9y ago | Creolabs Gravity version 1.0 is vulnerable to a Double Free in gravity_value resulting potentially leading to modification of unexpected memory locations | |
| CVE-2017-1000060 | critical | 9.8 | 9.8 | 9y ago | EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leading to remote root | |
| CVE-2017-1000056 | critical | 9.8 | 9.8 | 9y ago | Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object. | |
| CVE-2017-1000047 | critical | 9.8 | 9.8 | 9y ago | rbenv (all current versions) is vulnerable to Directory Traversal in the specification of Ruby version resulting in arbitrary code execution | |
| CVE-2017-1000044 | critical | 9.8 | 9.8 | 9y ago | gtk-vnc 0.4.2 and older doesn't check framebuffer boundaries correctly when updating framebuffer which may lead to memory corruption when rendering | |
| CVE-2017-1000039 | critical | 9.8 | 9.8 | 9y ago | Framadate version 1.0 is vulnerable to Formula Injection in the CSV Export resulting possible Information Disclosure and Code Execution | |
| CVE-2017-1000037 | critical | 9.8 | 9.8 | 9y ago | RVM automatically loads environment variables from files in $PWD resulting in command execution RVM vulnerable to command injection when automatically loading environment variables from files in $PWD… | |
| CVE-2017-1000030 | critical | 9.8 | 9.8 | 9y ago | Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain te… | |
| CVE-2017-1000020 | critical | 9.8 | 9.8 | 9y ago | SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending S… | |
| CVE-2017-1000009 | critical | 9.8 | 9.8 | 9y ago | Akeneo PIM vulnerable to shell injection in the mass edition | |
| CVE-2017-1000004 | critical | 9.8 | 9.8 | 9y ago | ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course … | |
| CVE-2017-1000003 | critical | 9.8 | 9.8 | 9y ago | ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and ea… |