CVEs from 2017
Total
11,713
critical
critical 1,647
high
high 5,041
medium
medium 4,168
low
low 159
% Critical
14.1%
% with KEV
0.7%
% with exploit
1.8%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7494 | high | — | 10.0 | 3y ago | Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and the… | |||
| CVE-2017-5070 | critical | — | 10.0 | 4y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web … | |||
| CVE-2017-5030 | critical | — | 10.0 | 4y ago | Google Chromium V8 Engine contains a memory corruption vulnerability that allows a remote attacker to execute code via a crafted HTML page. This vulnerability could affect multiple web browsers that … | |||
| CVE-2017-8291 | high | — | 10.0 | 4y ago | Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an in… | |||
| CVE-2017-9841 | critical | — | 10.0 | 4y ago | PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., exte… | |||
| CVE-2017-16651 | high | — | 10.0 | 5y ago | Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the … | |||
| CVE-2017-17968 | critical | 9.8 | 10.0 | 9y ago | A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP respons… | |||
| CVE-2017-17932 | critical | 9.8 | 10.0 | 9y ago | A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on th… | |||
| CVE-2017-17411 | critical | 9.8 | 10.0 | 9y ago | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exis… | |||
| CVE-2017-17105 | critical | 9.8 | 10.0 | 9y ago | Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the w… | |||
| CVE-2017-17560 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is… | |||
| CVE-2017-11291 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A Server-Side Request Forgery (SSRF) vulnerability exists that could be abused to bypass network access controls. | |||
| CVE-2017-14378 | critical | 10.0 | 10.0 | 9y ago | EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agent SDK 8.6 for C allow attackers to bypass authentication, aka an "Error Handling Vulnerability." | |||
| CVE-2017-16845 | critical | 10.0 | 10.0 | 9y ago | hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. | |||
| CVE-2017-10269 | critical | 10.0 | 10.0 | 9y ago | Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerabi… | |||
| CVE-2017-12635 | critical | 9.8 | 10.0 | 9y ago | multiple issues in couchdb | |||
| CVE-2017-10151 | critical | 10.0 | 10.0 | 9y ago | Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Default Account). Supported versions that are affected are 11.1.1.7, 11.1.2.3 and 12.2.1.3. Easily ex… | |||
| CVE-2017-15222 | critical | 9.8 | 10.0 | 9y ago | Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code. | |||
| CVE-2017-10405 | critical | 10.0 | 10.0 | 9y ago | Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Report). Supported versions that are affected are 8.5.1 and 9.0.0. Easily e… | |||
| CVE-2017-10402 | critical | 10.0 | 10.0 | 9y ago | Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Report). Supported versions that are affected are 8.5.1 and 9.0.0. Easily e… | |||
| CVE-2017-14980 | critical | 9.8 | 10.0 | 9y ago | Buffer overflow in Sync Breeze Enterprise 10.0.28 allows remote attackers to have unspecified impact via a long username parameter to /login. | |||
| CVE-2017-13995 | critical | 10.0 | 10.0 | 9y ago | An Improper Authentication issue was discovered in iniNet Solutions iniNet Webserver, all versions prior to V2.02.0100. The webserver does not properly authenticate users, which may allow a malicious… | |||
| CVE-2017-12905 | critical | 10.0 | 10.0 | 9y ago | Server Side Request Forgery vulnerability in Vebto Pixie Image Editor 1.4 and 1.7 allows remote attackers to disclose information or execute arbitrary code via the url parameter to Launderer.php. | |||
| CVE-2017-14706 | critical | 9.8 | 10.0 | 9y ago | DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken … | |||
| CVE-2017-14143 | critical | 9.8 | 10.0 | 9y ago | The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcoded cookie secret to validate cookie signatures, which allows remote attackers to bypass an intended protection mechanism and cons… | |||
| CVE-2017-13067 | critical | 9.8 | 10.0 | 9y ago | QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerabili… | |||
| CVE-2017-13708 | critical | 9.8 | 10.0 | 9y ago | Buffer overflow in the web server service in VX Search Enterprise 10.0.14 allows remote attackers to execute arbitrary code via a crafted GET request. | |||
| CVE-2017-10137 | critical | 10.0 | 10.0 | 9y ago | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: JNDI). Supported versions that are affected are 10.3.6.0 and 12.1.3.0. Easily exploitable vulnerabilit… | |||
| CVE-2017-12478 | critical | 9.8 | 10.0 | 9y ago | It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw … | |||
| CVE-2017-12477 | critical | 9.8 | 10.0 | 9y ago | It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacke… | |||
| CVE-2017-7928 | critical | 10.0 | 10.0 | 9y ago | An Improper Access Control issue was discovered in Schweitzer Engineering Laboratories (SEL) SEL-3620 and SEL-3622 Security Gateway Versions R202 and, R203, R203-V1, R203-V2 and, R204, R204-V1. The d… | |||
| CVE-2017-11394 | critical | 9.8 | 10.0 | 9y ago | Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by par… | |||
| CVE-2017-9769 | critical | 9.8 | 10.0 | 9y ago | A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse 2.20.15.1104 that is forwarded to ZwOpenProcess allowing a handle to be opened to an arbitrary process. | |||
| CVE-2017-11517 | critical | 9.8 | 10.0 | 9y ago | Stack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a long URI in a GET request. | |||
| CVE-2017-11467 | critical | 9.8 | 10.0 | 9y ago | OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection | |||
| CVE-2017-7664 | critical | 10.0 | 10.0 | 9y ago | Apache OpenMeetings does not correctly validate uploaded XML documents | |||
| CVE-2017-1000002 | critical | 9.8 | 10.0 | 9y ago | ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vu… | |||
| CVE-2017-10921 | critical | 10.0 | 10.0 | 9y ago | The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map mapping, which allows guest OS users to cause a denial of service (coun… | |||
| CVE-2017-10920 | critical | 10.0 | 10.0 | 9y ago | The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed by only a GNTMAP_host_map unmapping, which allows guest OS users to cause a deni… | |||
| CVE-2017-10918 | critical | 10.0 | 10.0 | 9y ago | Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host OS access, aka XSA-222. | |||
| CVE-2017-10912 | critical | 10.0 | 10.0 | 9y ago | Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217. | |||
| CVE-2017-6326 | critical | 10.0 | 10.0 | 9y ago | The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machi… | |||
| CVE-2017-3088 | critical | 10.0 | 10.0 | 9y ago | Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF runtime engine. Successful exploitation could lead to arbitrary code execution. | |||
| CVE-2017-7876 | critical | 10.0 | 10.0 | 9y ago | This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. QNAP have already fixed the issue in QTS 4.2.6 build 20170517, QTS 4.3.3.0174 bu… | |||
| CVE-2017-9544 | critical | 9.8 | 10.0 | 9y ago | There is a remote stack-based buffer overflow (SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1. By sending an overly long username string to registresult.htm for registering… | |||
| CVE-2017-8835 | critical | 9.8 | 10.0 | 9y ago | SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. An attack vector is the bauth coo… | |||
| CVE-2017-9232 | critical | 9.8 | 10.0 | 9y ago | Juju uses a UNIX domain socket without setting appropriate permissions in github.com/juju/juju | |||
| CVE-2017-1092 | critical | 9.8 | 10.0 | 9y ago | IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390. | |||
| CVE-2017-9101 | critical | 9.8 | 10.0 | 9y ago | import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file. | |||
| CVE-2017-8917 | critical | 9.8 | 10.0 | 9y ago | SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2017-7213 | critical | 10.0 | 10.0 | 9y ago | Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors. | |||
| CVE-2017-8895 | critical | 9.8 | 10.0 | 9y ago | In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before build 14.2.1180.3160, and 16 before FP1, there is a use-after-free vulnerability in multiple agents that can lead to a denial of ser… | |||
| CVE-2017-8794 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered on Accellion FTA devices before FTA_9_12_180. Because a regular expression (intended to match local https URLs) lacks an initial ^ character, courier/web/1000@/wmProgressval.h… | |||
| CVE-2017-6553 | critical | 9.8 | 10.0 | 9y ago | Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an ACT_ALERT_EVENT request that causes memory … | |||
| CVE-2017-8110 | critical | 10.0 | 10.0 | 9y ago | www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. | |||
| CVE-2017-3623 | critical | 10.0 | 10.0 | 9y ago | Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note. Easily "exploitable" vulnerability allows un… | |||
| CVE-2017-2320 | critical | 10.0 | 10.0 | 9y ago | A vulnerability in Juniper Networks NorthStar Controller Application prior to version 2.1.0 Service Pack 1 may allow an unauthenticated, unprivileged, network-based attacker to cause various denials … | |||
| CVE-2017-7964 | critical | 10.0 | 10.0 | 9y ago | Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in… | |||
| CVE-2017-7722 | critical | 10.0 | 10.0 | 9y ago | In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiti… | |||
| CVE-2017-7581 | critical | 9.8 | 10.0 | 9y ago | SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand f… | |||
| CVE-2017-5226 | critical | 10.0 | 10.0 | 9y ago | When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an a… | |||
| CVE-2017-7230 | critical | 9.8 | 10.0 | 9y ago | A buffer overflow vulnerability in Disk Sorter Enterprise 9.5.12 and earlier allows remote attackers to execute arbitrary code via a GET request. | |||
| CVE-2017-2788 | critical | 10.0 | 10.0 | 9y ago | A buffer overflows exists in the psnotifyd application of the Pharos PopUp printer client version 9.0. A specially crafted packet can be sent to the victim's computer and can lead to a heap based buf… | |||
| CVE-2017-2785 | critical | 10.0 | 10.0 | 9y ago | An exploitable buffer overflow exists in the psnotifyd application of the Pharos PopUp printer client version 9.0. A specially crafted packet can be sent to the victim's computer and can lead to a he… | |||
| CVE-2017-6465 | critical | 9.8 | 10.0 | 9y ago | Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leadin… | |||
| CVE-2017-6526 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi PO… | |||
| CVE-2017-6416 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered in SysGauge 1.5.18. A buffer overflow vulnerability in SMTP connection verification leads to arbitrary code execution. The attack vector is a crafted SMTP daemon that sends a … | |||
| CVE-2017-6187 | critical | 9.8 | 10.0 | 9y ago | Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4.18 allows remote attackers to execute arbitrary code via a long URI in a GET request. | |||
| CVE-2017-5162 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. Lack of authentication for remote service gives access to application set up and configuration. | |||
| CVE-2017-5145 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vuln… | |||
| CVE-2017-3791 | critical | 10.0 | 10.0 | 9y ago | A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges. The vulnerability … | |||
| CVE-2017-3324 | critical | 10.0 | 10.0 | 10y ago | Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.2, 8.3, 8… | |||
| CVE-2017-3248 | critical | 9.8 | 10.0 | 10y ago | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. … | |||
| CVE-2017-10272 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerabi… | |||
| CVE-2017-10404 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: iQuery). Supported versions that are affected are 8.5.1 and 9.0.0. Easily e… | |||
| CVE-2017-10396 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the Oracle Hospitality Cruise AffairWhere component of Oracle Hospitality Applications (subcomponent: AffairWhere). Supported versions that are affected are 2.2.5.0, 2.2.6.0 and 2.2.… | |||
| CVE-2017-10352 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS - Web Services). The supported version that is affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12… | |||
| CVE-2017-12251 | critical | 9.9 | 9.9 | 9y ago | A vulnerability in the web console of the Cisco Cloud Services Platform (CSP) 2100 could allow an authenticated, remote attacker to interact maliciously with the services or virtual machines (VMs) op… | |||
| CVE-2017-13706 | critical | 9.9 | 9.9 | 9y ago | XML external entity (XXE) vulnerability in the import package functionality of the deployment module in Lansweeper before 6.0.100.67 allows remote authenticated users to obtain sensitive information,… | |||
| CVE-2017-12822 | critical | 9.9 | 9.9 | 9y ago | Remote enabling and disabling admin interface in Gemalto's HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to new attack vectors. | |||
| CVE-2017-10202 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows low privileged attacke… | |||
| CVE-2017-7175 | critical | 9.9 | 9.9 | 9y ago | NfSen before 1.3.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the customfmt parameter (aka the "Custom output format" field). | |||
| CVE-2017-1253 | critical | 9.9 | 9.9 | 9y ago | IBM Security Guardium 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerabilit… | |||
| CVE-2017-4901 | critical | 9.9 | 9.9 | 9y ago | The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 has an out-of-bounds memory access vulnerability. This may allow a guest to execu… | |||
| CVE-2017-8220 | critical | 9.9 | 9.9 | 9y ago | TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n allow remote code execution with a single HTTP request by placing shell commands in a "host=" line within HTTP P… | |||
| CVE-2017-3553 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware (subcomponent: Rules Engine). The supported version that is affected is 11.1.2.3.0. Easily "exploitable" vulnerabili… | |||
| CVE-2017-3503 | critical | 9.9 | 9.9 | 9y ago | Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access (Apache Commons BeanUtils)). Supported versions that a… | |||
| CVE-2017-6513 | critical | 9.9 | 9.9 | 9y ago | The WHMCS Reseller Module V2 2.0.2 in Softaculous Virtualizor before 2.9.1.0 does not verify the user correctly, which allows remote authenticated users to control other virtual machines managed by V… | |||
| CVE-2017-1000116 | critical | 9.8 | 9.8 | 4y ago | Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. | |||
| CVE-2017-17458 | critical | 9.8 | 9.8 | 4y ago | In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the rep… | |||
| CVE-2017-7550 | critical | 9.8 | 9.8 | 4y ago | A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive infor… | |||
| CVE-2017-10906 | critical | 9.8 | 9.8 | 4y ago | Fluentd Escape Sequence Injection Vulnerability | |||
| CVE-2017-2096 | critical | 9.8 | 9.8 | 4y ago | smalruby and smalruby-editor vulnerable to OS Command Injection | |||
| CVE-2017-0906 | critical | 9.8 | 9.8 | 8y ago | The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result … | |||
| CVE-2017-0889 | critical | 9.8 | 9.8 | 9y ago | paperclip Server-Side Request Forgery vulnerability | |||
| CVE-2017-18001 | critical | 9.8 | 9.8 | 9y ago | Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, vi… | |||
| CVE-2017-17992 | critical | 9.8 | 9.8 | 9y ago | Biometric Shift Employee Management System allows Arbitrary File Download via directory traversal sequences in the index.php form_file_name parameter in a download_form action. | |||
| CVE-2017-17974 | critical | 9.8 | 9.8 | 9y ago | BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_s… | |||
| CVE-2017-17959 | critical | 9.8 | 9.8 | 9y ago | PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter. | |||
| CVE-2017-17957 | critical | 9.8 | 9.8 | 9y ago | PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter. |