CVE List - 2017 / October
Showing 1101 - 1200 of 1398 CVEs for October 2017 (Page 12 of 14)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2015-2878 | 2017-10-23 | Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name... |
| CVE-2015-5379 | 2017-10-23 | Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax WebMail interface in AXIGEN Mail Server before 9.0 allows remote attackers to inject arbitrary web script or HTML via an email... |
| CVE-2015-5532 | 2017-10-23 | Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s... |
| CVE-2015-5533 | 2017-10-23 | SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php.... |
| CVE-2015-6839 | 2017-10-23 | The parse function in MSA vot.Ar 3.1 does not check whether a candidate receives more than one vote, which allows physically proximate attackers to cast multiple votes for a candidate... |
| CVE-2017-13772 | 2017-10-23 | Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the (1) ping_addr parameter to PingIframeRpm.htm or (2)... |
| CVE-2017-13682 | 2017-10-23 | In Symantec Encryption Desktop before SED 10.4.1 MP2HF1, a kernel memory leak is a type of resource leak that can occur when a computer program incorrectly manages memory allocations in... |
| CVE-2017-13683 | 2017-10-23 | In Symantec Endpoint Encryption before SEE 11.1.3HF3, a kernel memory leak is a type of resource leak that can occur when a computer program incorrectly manages memory allocations in such... |
| CVE-2017-12613 | 2017-10-24 | When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting... |
| CVE-2017-12618 | 2017-10-24 | Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access.... |
| CVE-2017-15081 | 2017-10-24 | In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php. |
| CVE-2014-0691 | 2017-10-24 | Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka... |
| CVE-2014-1203 | 2017-10-24 | The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php. |
| CVE-2013-3734 | 2017-10-24 | The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure... |
| CVE-2015-5170 | 2017-10-24 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS... |
| CVE-2015-5171 | 2017-10-24 | The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by... |
| CVE-2015-5172 | 2017-10-24 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password... |
| CVE-2015-5173 | 2017-10-24 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password... |
| CVE-2017-14695 | 2017-10-24 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master... |
| CVE-2017-14696 | 2017-10-24 | SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. |
| CVE-2017-15186 | 2017-10-24 | Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file. |
| CVE-2017-15222 | 2017-10-24 | Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code. |
| CVE-2017-15223 | 2017-10-24 | Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2 and earlier allows remote attackers to waste CPU resources (memory consumption) via unspecified vectors, possibly triggering an infinite loop. |
| CVE-2016-10517 | 2017-10-24 | networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur... |
| CVE-2017-15863 | 2017-10-24 | Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin before 3.5.19 for WordPress via the date1 or date2 parameter to wp-admin/options-general.php. |
| CVE-2017-15867 | 2017-10-24 | Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3)... |
| CVE-2017-15871 | 2017-10-24 | The deserialize function in serialize-to-js through 1.1.1 allows attackers to cause a denial of service via vectors involving an Immediately Invoked Function Expression "function()" substring, as demonstrated by a "function(){console.log("... |
| CVE-2017-15873 | 2017-10-24 | The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. |
| CVE-2017-15874 | 2017-10-24 | archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation. |
| CVE-2017-15872 | 2017-10-24 | phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field. |
| CVE-2016-3049 | 2017-10-24 | IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's... |
| CVE-2017-1211 | 2017-10-24 | IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0.2 could disclose sensitive information to a local user when logging is enabled. IBM X-Force ID: 123851. |
| CVE-2017-1375 | 2017-10-24 | IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 126868. |
| CVE-2017-1523 | 2017-10-24 | IBM InfoSphere Master Data Management - Collaborative Edition 11.5 could allow an unauthorized user to download reports without authentication. IBM X-Force ID: 129892. |
| CVE-2017-1583 | 2017-10-24 | IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.13)could allow a remote attacker to obtain sensitive information caused by improper error handling by MyFaces in JSF. |
| CVE-2017-15878 | 2017-10-24 | A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature. |
| CVE-2017-15879 | 2017-10-24 | CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export. |
| CVE-2017-1209 | 2017-10-24 | IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering... |
| CVE-2017-1210 | 2017-10-24 | IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0.2 could allow an unauthenticated attacker to inject data into log files made to look legitimate. IBM X-Force ID: 123850. |
| CVE-2017-1212 | 2017-10-24 | IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0.2 is vulnerable to a denial of service when viewing or opening a large file. IBM X-Force ID: 123852. |
| CVE-2017-15881 | 2017-10-24 | Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than... |
| CVE-2017-15880 | 2017-10-24 | SQL injection vulnerability vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the group_name parameter to module/admin_group/add_modify_group.php (for insert_group and... |
| CVE-2017-15885 | 2017-10-25 | Reflected XSS in the web administration portal on the Axis 2100 Network Camera 2.03 allows an attacker to execute arbitrary JavaScript via the conf_Layout_OwnTitle parameter to view/view.shtml. NOTE: this might... |
| CVE-2017-12705 | 2017-10-25 | A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and... |
| CVE-2017-1164 | 2017-10-25 | IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials... |
| CVE-2017-1363 | 2017-10-25 | IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to... |
| CVE-2017-1169 | 2017-10-25 | IBM DOORS next Generation (DNG/RRC) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading... |
| CVE-2017-1241 | 2017-10-25 | An unspecified vulnerability in IBM Jazz Foundation based applications might allow the display of stack trace information to an attacker. IBM X-Force ID: 124523. |
| CVE-2017-1295 | 2017-10-25 | IBM RSA DM contains unspecified vulnerability in CLM Applications with potential for information leakage. IBM X-Force ID: 125157. |
| CVE-2017-15906 | 2017-10-26 | The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. |
| CVE-2017-15909 | 2017-10-26 | D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, which allows remote attackers to obtain shell access. |
| CVE-2017-15882 | 2017-10-26 | The London Trust Media Private Internet Access (PIA) application before 1.3.3.1 for Android allows remote attackers to cause a denial of service (application crash) via a large VPN server-list file. |
| CVE-2017-15907 | 2017-10-26 | SQL injection vulnerability in phpCollab 2.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to newsdesk/newsdesk.php. |
| CVE-2017-7335 | 2017-10-26 | A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x (6.1-2, 6.1-4 and 6.1-5); 7.0-x (7.0-7, 7.0-8, 7.0-9, 7.0-10); and 8.x (8.0, 8.1, 8.2 and 8.3.0-8.3.2) allows an authenticated user to... |
| CVE-2017-7341 | 2017-10-26 | An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 through 6.1-5, 7.0-7 through 7.0-10, 8.0 through 8.2, and 8.3.0 through 8.3.2 file management AP script download webUI page allows an... |
| CVE-2017-7732 | 2017-10-26 | A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet FortiMail 5.1 and earlier, 5.2.0 through 5.2.9, and 5.3.0 through 5.3.9 customized pre-authentication webmail login page allows attacker to inject arbitrary web... |
| CVE-2017-15908 | 2017-10-26 | In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the... |
| CVE-2017-15911 | 2017-10-26 | The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data... |
| CVE-2017-3771 | 2017-10-26 | System boot process is not adequately secured In Lenovo E95 and ThinkCentre M710s/M710t because systems were shipped from factory without completing BIOS/UEFI initialization process. |
| CVE-2017-12158 | 2017-10-26 | It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against... |
| CVE-2017-12159 | 2017-10-26 | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated... |
| CVE-2017-12160 | 2017-10-26 | It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation.... |
| CVE-2017-15096 | 2017-10-26 | A flaw was found in GlusterFS in versions prior to 3.10. A null pointer dereference in send_brick_req function in glusterfsd/src/gf_attach.c may be used to cause denial of service. |
| CVE-2017-15917 | 2017-10-26 | In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create a Map as a read-only user, by forging a request and sending it to the server. |
| CVE-2017-15919 | 2017-10-26 | The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has SQL Injection, with resultant PHP Object Injection, via wp-admin/admin-ajax.php. |
| CVE-2017-15922 | 2017-10-26 | In GNU Libextractor 1.4, there is an out-of-bounds read in the EXTRACTOR_dvi_extract_method function in plugins/dvi_extractor.c. |
| CVE-2017-5996 | 2017-10-26 | The agent in Bomgar Remote Support 15.2.x before 15.2.3, 16.1.x before 16.1.5, and 16.2.x before 16.2.4 allows DLL hijacking because of weak %SYSTEMDRIVE%\ProgramData permissions. |
| CVE-2012-1622 | 2017-10-26 | Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. |
| CVE-2012-4377 | 2017-10-26 | Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image. |
| CVE-2012-4378 | 2017-10-26 | Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via... |
| CVE-2014-2023 | 2017-10-26 | Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API... |
| CVE-2017-15366 | 2017-10-26 | Before Thornberry NDoc version 8.0, laptop clients and the server have default database (Cache) users set up with a single password. This password is left behind in a cleartext log... |
| CVE-2017-1220 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force... |
| CVE-2017-1222 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. IBM... |
| CVE-2017-1225 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs... |
| CVE-2017-1226 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) generates an error message in error logs that includes sensitive information about its environment which could be used in further... |
| CVE-2017-1228 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute.... |
| CVE-2017-1230 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. This weakness may allow attackers... |
| CVE-2017-1232 | 2017-10-26 | IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. IBM X-Force... |
| CVE-2017-1521 | 2017-10-26 | IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications (IBM BigFix Platform 9.2 and 9.5) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in... |
| CVE-2017-5052 | 2017-10-27 | An incorrect assumption about block structure in Blink in Google Chrome prior to 57.0.2987.133 for Mac, Windows, and Linux, and 57.0.2987.132 for Android, allowed a remote attacker to potentially exploit... |
| CVE-2017-5053 | 2017-10-27 | An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 for Linux, Windows, and Mac, and 57.0.2987.132 for Android, allowed a remote attacker to execute arbitrary code inside a... |
| CVE-2017-5054 | 2017-10-27 | An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 for Linux, Windows, and Mac, and 57.0.2987.132 for Android, allowed a remote attacker to obtain heap memory contents via... |
| CVE-2017-5055 | 2017-10-27 | A use after free in printing in Google Chrome prior to 57.0.2987.133 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a... |
| CVE-2017-5056 | 2017-10-27 | A use after free in Blink in Google Chrome prior to 57.0.2987.133 for Linux, Windows, and Mac, and 57.0.2987.132 for Android, allowed a remote attacker to perform an out of... |
| CVE-2017-5057 | 2017-10-27 | Type confusion in PDFium in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform an out of bounds memory... |
| CVE-2017-5058 | 2017-10-27 | A use after free in PrintPreview in Google Chrome prior to 58.0.3029.81 for Windows allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML... |
| CVE-2017-5059 | 2017-10-27 | Type confusion in Blink in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac, and 58.0.3029.83 for Android, allowed a remote attacker to potentially obtain code execution via a... |
| CVE-2017-5060 | 2017-10-27 | Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to perform domain spoofing via IDN... |
| CVE-2017-5061 | 2017-10-27 | A race condition in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via... |
| CVE-2017-5062 | 2017-10-27 | A use after free in Chrome Apps in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to potentially perform out... |
| CVE-2017-5063 | 2017-10-27 | A numeric overflow in Skia in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac, and 58.0.3029.83 for Android, allowed a remote attacker to perform an out of bounds... |
| CVE-2017-5064 | 2017-10-27 | Incorrect handling of DOM changes in Blink in Google Chrome prior to 58.0.3029.81 for Windows allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| CVE-2017-5065 | 2017-10-27 | Lack of an appropriate action on page navigation in Blink in Google Chrome prior to 58.0.3029.81 for Windows and Mac allowed a remote attacker to potentially confuse a user into... |
| CVE-2017-5066 | 2017-10-27 | Insufficient consistency checks in signature handling in the networking stack in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to... |
| CVE-2017-5067 | 2017-10-27 | An insufficient watchdog timer in navigation in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac allowed a remote attacker to spoof the contents of the Omnibox (URL bar)... |
| CVE-2017-5068 | 2017-10-27 | Incorrect handling of picture ID in WebRTC in Google Chrome prior to 58.0.3029.96 for Mac, Windows, and Linux allowed a remote attacker to trigger a race condition via a crafted... |
| CVE-2017-5069 | 2017-10-27 | Incorrect MIME type of XSS-Protection reports in Blink in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac, and 58.0.3029.83 for Android, allowed a remote attacker to circumvent Cross-Origin... |
| CVE-2017-5071 | 2017-10-27 | Insufficient validation of untrusted input in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows and Mac, and 59.0.3071.92 for Android allowed a remote attacker to perform an out... |
| CVE-2017-5072 | 2017-10-27 | Inappropriate implementation in Omnibox in Google Chrome prior to 59.0.3071.92 for Android allowed a remote attacker to perform domain spoofing with RTL characters via a crafted URL page. |