CVE List - 2017 / December
Showing 501 - 600 of 1105 CVEs for December 2017 (Page 6 of 12)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2017-17607 | 2017-12-13 | CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-detail. |
| CVE-2017-17608 | 2017-12-13 | Child Care Script 1.0 has SQL Injection via the /list city parameter. |
| CVE-2017-17609 | 2017-12-13 | Chartered Accountant Booking Script 1.0 has SQL Injection via the /service-list city parameter. |
| CVE-2017-17610 | 2017-12-13 | E-commerce MLM Software 1.0 has SQL Injection via the service_detail.php pid parameter, event_detail.php eventid parameter, or news_detail.php newid parameter. |
| CVE-2017-17611 | 2017-12-13 | Doctor Search Script 1.0 has SQL Injection via the /list city parameter. |
| CVE-2017-17612 | 2017-12-13 | Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or mctid parameter. |
| CVE-2017-17613 | 2017-12-13 | Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.php pr_id parameter or the searchbycat_list.php catid parameter. |
| CVE-2017-17614 | 2017-12-13 | Food Order Script 1.0 has SQL Injection via the /list city parameter. |
| CVE-2017-17615 | 2017-12-13 | Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php id parameter. |
| CVE-2017-17616 | 2017-12-13 | Event Search Script 1.0 has SQL Injection via the /event-list city parameter. |
| CVE-2017-17617 | 2017-12-13 | Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.php q parameter. |
| CVE-2017-17618 | 2017-12-13 | Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php projid parameter. |
| CVE-2017-17619 | 2017-12-13 | Laundry Booking Script 1.0 has SQL Injection via the /list city parameter. |
| CVE-2017-17620 | 2017-12-13 | Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter. |
| CVE-2017-17621 | 2017-12-13 | Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI. |
| CVE-2017-17622 | 2017-12-13 | Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter. |
| CVE-2017-17623 | 2017-12-13 | Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter. |
| CVE-2017-17624 | 2017-12-13 | PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter. |
| CVE-2017-17625 | 2017-12-13 | Professional Service Script 1.0 has SQL Injection via the service-list city parameter. |
| CVE-2017-17626 | 2017-12-13 | Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter. |
| CVE-2017-17627 | 2017-12-13 | Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter. |
| CVE-2017-17628 | 2017-12-13 | Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter. |
| CVE-2017-17629 | 2017-12-13 | Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter. |
| CVE-2017-17630 | 2017-12-13 | Yoga Class Script 1.0 has SQL Injection via the /list city parameter. |
| CVE-2017-17631 | 2017-12-13 | Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter. |
| CVE-2017-17632 | 2017-12-13 | Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. |
| CVE-2017-17633 | 2017-12-13 | Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter. |
| CVE-2017-17634 | 2017-12-13 | Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. |
| CVE-2017-17635 | 2017-12-13 | MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter. |
| CVE-2017-17636 | 2017-12-13 | MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter. |
| CVE-2017-17637 | 2017-12-13 | Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter. |
| CVE-2017-17638 | 2017-12-13 | Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter. |
| CVE-2017-17639 | 2017-12-13 | Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter. |
| CVE-2017-17640 | 2017-12-13 | Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter. |
| CVE-2017-17641 | 2017-12-13 | Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter. |
| CVE-2017-17642 | 2017-12-13 | Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job. |
| CVE-2017-14589 | 2017-12-13 | It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website... |
| CVE-2017-14590 | 2017-12-13 | Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an... |
| CVE-2017-17382 | 2017-12-13 | Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 might allow remote attackers... |
| CVE-2017-17427 | 2017-12-13 | Radware Alteon devices with a firmware version between 31.0.0.0-31.0.3.0 are vulnerable to an adaptive-chosen ciphertext attack ("Bleichenbacher attack"). This allows an attacker to decrypt observed traffic that has been encrypted... |
| CVE-2017-17537 | 2017-12-13 | MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated remote attacker to cause a denial of service by connecting to TCP port 53 and sending data that begins with many '\0'... |
| CVE-2017-17549 | 2017-12-13 | Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 allow remote attackers to... |
| CVE-2017-17648 | 2017-12-13 | Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter. |
| CVE-2017-1421 | 2017-12-13 | IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure... |
| CVE-2017-1546 | 2017-12-13 | IBM DOORS Next Generation (DNG/RRC) 4.07, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the... |
| CVE-2017-1558 | 2017-12-13 | IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web... |
| CVE-2017-1635 | 2017-12-13 | IBM Tivoli Monitoring V6 6.2.2.x could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free error. A remote attacker could exploit this vulnerability to... |
| CVE-2017-1716 | 2017-12-13 | IBM Tivoli Workload Scheduler 8.6.0, 9.1.0, and 9.2.0 could disclose sensitive information to a local attacker due to improper permission settings. IBM X-Force ID: 134638. |
| CVE-2017-15529 | 2017-12-13 | Prior to 4.4.1.10, the Norton Family Android App can be susceptible to a Denial of Service (DoS) exploit. A DoS attack is a type of attack whereby the perpetrator attempts... |
| CVE-2017-15530 | 2017-12-13 | Prior to 4.4.1.10, the Norton Family Android App can be susceptible to an Information Disclosure issue. Information disclosure is a very common issue that attackers will attempt to exploit as... |
| CVE-2017-14380 | 2017-12-13 | In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2.1.0 - 7.2.1.5, 7.2.0.x, and 7.1.1.x, a malicious compliance admin (compadmin) account user could exploit a vulnerability in isi_get_itrace... |
| CVE-2017-17664 | 2017-12-13 | A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause... |
| CVE-2017-17665 | 2017-12-13 | In Octopus Deploy before 4.1.3, the machine update process doesn't check that the user has access to all environments. This allows an access-control bypass because the set of environments to... |
| CVE-2017-11305 | 2017-12-13 | A regression affecting Adobe Flash Player version 27.0.0.187 (and earlier versions) causes the unintended reset of the global settings preference file when a user clears browser data. |
| CVE-2017-7738 | 2017-12-13 | An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.5, 5.2 and below versions allow an admin user with super_admin privileges to view the current SSL VPN... |
| CVE-2017-17671 | 2017-12-14 | vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary... |
| CVE-2017-17672 | 2017-12-14 | In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in... |
| CVE-2017-17680 | 2017-12-14 | In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadXPMImage in coders/xpm.c, which allows attackers to cause a denial of service via a crafted xpm image... |
| CVE-2017-17681 | 2017-12-14 | In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in the function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted... |
| CVE-2017-17682 | 2017-12-14 | In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted... |
| CVE-2017-17683 | 2017-12-14 | Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c44 \\.\PSMEMDriver DeviceIoControl request. |
| CVE-2017-17684 | 2017-12-14 | Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c04 \\.\PSMEMDriver DeviceIoControl request. |
| CVE-2017-5663 | 2017-12-14 | In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incubating, an authenticated user with client/loan/center/staff/group read permissions is able to inject malicious SQL into SELECT queries. The 'sqlSearch' parameter on a number of... |
| CVE-2017-17511 | 2017-12-14 | KildClient 3.1.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related... |
| CVE-2017-17513 | 2017-12-14 | TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17514 | 2017-12-14 | boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17515 | 2017-12-14 | etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17516 | 2017-12-14 | scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks... |
| CVE-2017-17517 | 2017-12-14 | libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a... |
| CVE-2017-17518 | 2017-12-14 | swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via... |
| CVE-2017-17519 | 2017-12-14 | batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) 2.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection... |
| CVE-2017-17520 | 2017-12-14 | tools/url_handler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17521 | 2017-12-14 | uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a... |
| CVE-2017-17522 | 2017-12-14 | Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a... |
| CVE-2017-17524 | 2017-12-14 | library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17525 | 2017-12-14 | guiclient/guiclient.cpp in xTuple PostBooks 4.7.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a... |
| CVE-2017-17526 | 2017-12-14 | Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via... |
| CVE-2017-17527 | 2017-12-14 | delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17528 | 2017-12-14 | backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17529 | 2017-12-14 | af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17530 | 2017-12-14 | common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17531 | 2017-12-14 | gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a... |
| CVE-2017-17532 | 2017-12-14 | examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17533 | 2017-12-14 | default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17534 | 2017-12-14 | uiutil.c in Mensis 0.0.080507 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted... |
| CVE-2017-17535 | 2017-12-14 | lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via... |
| CVE-2017-7344 | 2017-12-14 | A privilege escalation in Fortinet FortiClient Windows 5.4.3 and earlier as well as 5.6.0 allows attacker to gain privilege via exploiting the Windows "security alert" dialog thereby popping up when... |
| CVE-2016-10703 | 2017-12-14 | A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server... |
| CVE-2017-5264 | 2017-12-14 | Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request... |
| CVE-2017-16355 | 2017-12-14 | In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of... |
| CVE-2017-17405 | 2017-12-15 | Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe... |
| CVE-2017-17670 | 2017-12-15 | In VideoLAN VLC media player through 2.2.8, there is a type conversion vulnerability in modules/demux/mp4/libmp4.c in the MP4 demux module leading to a invalid free, because the type of a... |
| CVE-2017-17693 | 2017-12-15 | Techno - Portfolio Management Panel through 2017-11-16 does not check authorization for panel/portfolio.php?action=delete requests that remove feedback. |
| CVE-2017-17694 | 2017-12-15 | Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter. |
| CVE-2017-17695 | 2017-12-15 | Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter. |
| CVE-2017-17696 | 2017-12-15 | Techno - Portfolio Management Panel through 2017-11-16 allows full path disclosure via an invalid s parameter to panel/search.php. |
| CVE-2017-17697 | 2017-12-15 | The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping. |
| CVE-2017-10904 | 2017-12-15 | Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. |
| CVE-2017-10905 | 2017-12-15 | A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. |
| CVE-2017-11397 | 2017-12-15 | A service DLL preloading vulnerability in Trend Micro Encryption for Email versions 5.6 and below could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system. |