CVE List - 2017 / September
Showing 101 - 200 of 1228 CVEs for September 2017 (Page 2 of 13)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2015-5959 | 2017-09-06 | Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log. |
| CVE-2015-6250 | 2017-09-06 | simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be694 allows remote attackers to automatically generate the captcha response by running the same code on the client-side. |
| CVE-2015-7225 | 2017-09-06 | Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate... |
| CVE-2015-7241 | 2017-09-06 | XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. |
| CVE-2015-7294 | 2017-09-06 | ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username. |
| CVE-2015-8316 | 2017-09-06 | Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash)... |
| CVE-2017-14169 | 2017-09-07 | In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "item_num" field such as 0xffffffff,... |
| CVE-2017-14170 | 2017-09-07 | In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted MXF... |
| CVE-2017-14171 | 2017-09-07 | In libavformat/nsvdec.c in FFmpeg 2.4 and 3.3.3, a DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted NSV... |
| CVE-2017-14172 | 2017-09-07 | In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file,... |
| CVE-2017-14173 | 2017-09-07 | In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, an integer overflow might occur for the addition operation "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value than expected. As... |
| CVE-2017-14174 | 2017-09-07 | In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file,... |
| CVE-2017-14175 | 2017-09-07 | In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted XBM file,... |
| CVE-2015-3250 | 2017-09-07 | Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors. |
| CVE-2015-3442 | 2017-09-07 | Soreco Xpert.Line 3.0 allows local users to spoof users and consequently gain privileges by intercepting a Windows API call. |
| CVE-2016-0732 | 2017-09-07 | The identity zones feature in Pivotal Cloud Foundry 208 through 229; UAA 2.0.0 through 2.7.3 and 3.0.0; UAA-Release 2 through 4, when configured with multiple identity zones; and Elastic Runtime... |
| CVE-2016-10405 | 2017-09-07 | Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors. |
| CVE-2017-11567 | 2017-09-07 | Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save.... |
| CVE-2017-12133 | 2017-09-07 | Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to... |
| CVE-2017-12416 | 2017-09-07 | Cross-site scripting (XSS) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3 allows... |
| CVE-2017-12794 | 2017-09-07 | In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this... |
| CVE-2017-12838 | 2017-09-07 | Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows remote attackers to hijack the authentication of users for requests that (1) send manas via a request to mybonus.php or (2)... |
| CVE-2017-12906 | 2017-09-07 | Multiple cross-site scripting (XSS) vulnerabilities in NexusPHP allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) cheaters.php or (2) confirm_resend.php. |
| CVE-2017-13713 | 2017-09-07 | T&W WIFI Repeater BE126 allows remote authenticated users to execute arbitrary code via shell metacharacters in the user parameter to cgi-bin/webupg. |
| CVE-2017-13754 | 2017-09-07 | Cross-site scripting (XSS) vulnerability in the "advanced settings - time server" module in Wibu-Systems CodeMeter before 6.50b allows remote attackers to inject arbitrary web script or HTML via the "server... |
| CVE-2017-13771 | 2017-09-07 | Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network configuration credentials in plaintext and transmits them in requests, which allows remote attackers to obtain sensitive information via requests to... |
| CVE-2017-6362 | 2017-09-07 | Double free vulnerability in the gdImagePngPtr function in libgd2 before 2.2.5 allows remote attackers to cause a denial of service via vectors related to a palette with no colors. |
| CVE-2017-9458 | 2017-09-07 | XML external entity (XXE) vulnerability in the GlobalProtect internal and external gateway interface in Palo Alto Networks PAN-OS before 6.1.18, 7.0.x before 7.0.17, 7.1.x before 7.1.12, and 8.0.x before 8.0.3... |
| CVE-2015-1590 | 2017-09-07 | The kamcmd administrative utility and default configuration in kamailio before 4.3.0 use /tmp/kamailio_ctl. |
| CVE-2017-12911 | 2017-09-07 | The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in a stack memory corruption when opening a crafted MP3 file. |
| CVE-2017-12912 | 2017-09-07 | The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in a read access violation when opening a crafted MP3 file. |
| CVE-2017-14147 | 2017-09-07 | An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing... |
| CVE-2017-9779 | 2017-09-07 | OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact." |
| CVE-2017-9834 | 2017-09-07 | SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php. |
| CVE-2013-7428 | 2017-09-07 | The Googlemaps plugin before 3.1 for Joomla! allows remote attackers to cause a denial of service via the url parameter to plugin_googlemap2_proxy.php. |
| CVE-2017-1098 | 2017-09-07 | IBM Emptoris Supplier Lifecycle Management 10.1.0.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially... |
| CVE-2017-1189 | 2017-09-07 | IBM WebSphere Portal and Web Content Manager 6.1, 7.0, and 8.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus... |
| CVE-2017-1502 | 2017-09-07 | IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the... |
| CVE-2017-14181 | 2017-09-07 | DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 allows remote attackers to cause a denial of service (invalid memory write, SEGV on unknown address 0x000000000030, and application crash) or possibly have... |
| CVE-2017-14192 | 2017-09-07 | The checktitle function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the module field. |
| CVE-2017-14193 | 2017-09-07 | The oauth function in controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. |
| CVE-2017-14194 | 2017-09-07 | The out function in controllers/member/Login.php in dayrui FineCms 5.0.11 has XSS related to the Referer HTTP header with Internet Explorer. |
| CVE-2017-14195 | 2017-09-07 | The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 might have XSS related to the Referer HTTP header with Internet Explorer. |
| CVE-2014-9565 | 2017-09-07 | Cross-site request forgery (CSRF) vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware 3.4.0000 and earlier. |
| CVE-2015-3169 | 2017-09-07 | Cross-site scripting (XSS) vulnerability in askbot 0.7.51-4.el6.noarch. |
| CVE-2015-3222 | 2017-09-07 | syscheck/seechanges.c in OSSEC 2.7 through 2.8.1 on NIX systems allows local users to execute arbitrary code as root. |
| CVE-2015-3313 | 2017-09-07 | SQL injection vulnerability in WordPress Community Events plugin before 1.4. |
| CVE-2015-3314 | 2017-09-07 | SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5. |
| CVE-2015-3991 | 2017-09-07 | strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code. |
| CVE-2015-4085 | 2017-09-07 | Directory traversal vulnerability in node/hooks/express/tests.js in Etherpad frontend tests before 1.6.1. |
| CVE-2015-4619 | 2017-09-07 | Cross-site request forgery (CSRF) vulnerability in Spina before commit bfe44f289e336f80b6593032679300c493735e75. |
| CVE-2015-4627 | 2017-09-07 | SQL injection vulnerability in Pragyan CMS 3.0. |
| CVE-2015-4629 | 2017-09-07 | Huawei E5756S before V200R002B146D23SP00C00 allows remote attackers to read device configuration information, enable PIN/PUK authentication, and perform other unspecified actions. |
| CVE-2015-4697 | 2017-09-07 | Cross-site request forgery (CSRF) vulnerability in Google Analyticator Wordpress Plugin before 6.4.9.3 rev @1183563. |
| CVE-2015-4721 | 2017-09-07 | Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. |
| CVE-2015-4724 | 2017-09-07 | SQL injection vulnerability in Concrete5 5.7.3.1. |
| CVE-2015-5052 | 2017-09-07 | SQL injection vulnerability in Sefrengo before 1.6.5 beta2. |
| CVE-2015-5060 | 2017-09-07 | Cross-site scripting (XSS) vulnerability in anchor-cms before 0.9-dev. |
| CVE-2015-7672 | 2017-09-07 | Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in Centreon 18.10.0 and Centreon web 2.8.27). |
| CVE-2015-8079 | 2017-09-07 | qt5-qtwebkit before 5.4 records private browsing URLs to its favicon database, WebpageIcons.db. |
| CVE-2017-12211 | 2017-09-07 | A vulnerability in the IPv6 Simple Network Management Protocol (SNMP) code of Cisco IOS and Cisco IOS XE Software could allow an authenticated, remote attacker to cause high CPU usage... |
| CVE-2017-12212 | 2017-09-07 | A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web... |
| CVE-2017-12213 | 2017-09-07 | A vulnerability in the dynamic access control list (ACL) feature of Cisco IOS XE Software running on Cisco Catalyst 4000 Series Switches could allow an unauthenticated, adjacent attacker to cause... |
| CVE-2017-12216 | 2017-09-07 | A vulnerability in the web-based user interface of Cisco SocialMiner could allow an unauthenticated, remote attacker to have read and write access to information stored in the affected system. The... |
| CVE-2017-12217 | 2017-09-07 | A vulnerability in the General Packet Radio Service (GPRS) Tunneling Protocol ingress packet handler of Cisco ASR 5500 System Architecture Evolution (SAE) Gateways could allow an unauthenticated, remote attacker to... |
| CVE-2017-12218 | 2017-09-07 | A vulnerability in the malware detection functionality within Advanced Malware Protection (AMP) of Cisco AsyncOS Software for Cisco Email Security Appliances (ESAs) could allow an unauthenticated, remote attacker to cause... |
| CVE-2017-12220 | 2017-09-07 | A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of... |
| CVE-2017-12221 | 2017-09-07 | A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web... |
| CVE-2017-12223 | 2017-09-07 | A vulnerability in the ROM Monitor (ROMMON) code of Cisco IR800 Integrated Services Router Software could allow an unauthenticated, local attacker to boot an unsigned Hypervisor on an affected device... |
| CVE-2017-12224 | 2017-09-07 | A vulnerability in the ability for guest users to join meetings via a hyperlink with Cisco Meeting Server could allow an authenticated, remote attacker to enter a meeting with a... |
| CVE-2017-12225 | 2017-09-07 | A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability.... |
| CVE-2017-12227 | 2017-09-07 | A vulnerability in the SQL database interface for Cisco Emergency Responder could allow an authenticated, remote attacker to conduct a blind SQL injection attack. The vulnerability is due to a... |
| CVE-2017-6631 | 2017-09-07 | A vulnerability in the HTTP remote procedure call (RPC) service of set-top box (STB) receivers manufactured by Cisco for Yes could allow an unauthenticated, remote attacker to cause a denial... |
| CVE-2017-6780 | 2017-09-07 | A vulnerability in the TCP throttling process for Cisco IoT Field Network Director (IoT-FND) could allow an unauthenticated, remote attacker to cause the system to consume additional memory, eventually forcing... |
| CVE-2017-6789 | 2017-09-07 | A vulnerability in the Cisco Unified Intelligence Center web interface could allow an unauthenticated, remote attacker to impact the integrity of the system by executing a Document Object Model (DOM)-based,... |
| CVE-2017-6791 | 2017-09-07 | A vulnerability in the Trust Verification Service (TVS) of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected... |
| CVE-2017-6792 | 2017-09-07 | A vulnerability in the batch provisioning feature in Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to overwrite system files as root. The vulnerability is due to... |
| CVE-2017-6793 | 2017-09-07 | A vulnerability in the Inventory Management feature of Cisco Prime Collaboration Provisioning Tool could allow an authenticated, remote attacker to view sensitive information on the system. The vulnerability is due... |
| CVE-2017-6794 | 2017-09-07 | A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must... |
| CVE-2017-6795 | 2017-09-07 | A vulnerability in the USB-modem code of Cisco IOS XE Software running on Cisco ASR 920 Series Aggregation Services Routers could allow an authenticated, local attacker to overwrite arbitrary files... |
| CVE-2017-6796 | 2017-09-07 | A vulnerability in the USB-modem code of Cisco IOS XE Software running on Cisco ASR 920 Series Aggregation Services Routers could allow an authenticated, local attacker to inject and execute... |
| CVE-2017-6627 | 2017-09-07 | A vulnerability in the UDP processing code of Cisco IOS 15.1, 15.2, and 15.4 and IOS XE 3.14 through 3.18 could allow an unauthenticated, remote attacker to cause the input... |
| CVE-2017-14219 | 2017-09-07 | XSS (persistent) on the Intelbras Wireless N 150Mbps router with firmware WRN 240 allows attackers to steal wireless credentials without being connected to the network, related to userRpm/popupSiteSurveyRpm.htm and userRpm/WlanSecurityRpm.htm.... |
| CVE-2017-11611 | 2017-09-08 | Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization of the file name in a "create-file-popup" action, and the directory name in a "create-directory-popup"... |
| CVE-2017-9095 | 2017-09-08 | XXE in Diving Log 6.0 allows attackers to remotely view local files through a crafted dive.xml file that is mishandled during a Subsurface import. |
| CVE-2017-11161 | 2017-09-08 | Multiple SQL injection vulnerabilities in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allow remote attackers to execute arbitrary SQL commands via the (1) article_id parameter to label.php; or (2) type... |
| CVE-2017-11162 | 2017-09-08 | Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors. |
| CVE-2017-12071 | 2017-09-08 | Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter. |
| CVE-2017-2550 | 2017-09-08 | Vulnerability in Easy Joomla Backup v3.2.4. The software creates a copy of the backup in the web root with an easily guessable filename. |
| CVE-2011-3177 | 2017-09-08 | The YaST2 network created files with world readable permissions which could have allowed local users to read sensitive material out of network configuration files, like passwords for wireless networks. |
| CVE-2016-5759 | 2017-09-08 | The mkdumprd script called "dracut" in the current working directory "." allows local users to trick the administrator into executing code as root. |
| CVE-2017-14167 | 2017-09-08 | Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address... |
| CVE-2017-12146 | 2017-09-08 | The driver_override implementation in drivers/base/platform.c in the Linux kernel before 4.12.1 allows local users to gain privileges by leveraging a race condition between a read operation and a store operation... |
| CVE-2017-0752 | 2017-09-08 | A elevation of privilege vulnerability in the Android framework (windowmanager). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-62196835. |
| CVE-2017-0753 | 2017-09-08 | A remote code execution vulnerability in the Android libraries (libgdx). Product: Android. Versions: 7.1.1, 7.1.2, 8.0. Android ID: A-62218744. |
| CVE-2017-0755 | 2017-09-08 | A elevation of privilege vulnerability in the Android libraries (libminikin). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-32178311. |
| CVE-2017-0756 | 2017-09-08 | A remote code execution vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34621073. |
| CVE-2017-0757 | 2017-09-08 | A remote code execution vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36006815. |
| CVE-2017-0758 | 2017-09-08 | A remote code execution vulnerability in the Android media framework (libhevc). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36492741. |
| CVE-2017-0759 | 2017-09-08 | A remote code execution vulnerability in the Android media framework (libstagefright). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36715268. |