Total
309430 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-10068 | 1 Oracle | 1 Business Intelligence | 2024-11-21 | 6.4 MEDIUM | 8.2 HIGH |
| Vulnerability in the Oracle Business Intelligence Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Analytics Web Dashboards). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). | |||||
| CVE-2017-1002201 | 2 Debian, Haml | 2 Debian Linux, Haml | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code. | |||||
| CVE-2017-1002157 | 1 Redhat | 1 Modulemd | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution. | |||||
| CVE-2017-1002152 | 1 Redhat | 1 Bodhi | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles. | |||||
| CVE-2017-1002102 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 6.3 MEDIUM | 7.1 HIGH |
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running. | |||||
| CVE-2017-1002101 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | 5.5 MEDIUM | 8.8 HIGH |
| In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem. | |||||
| CVE-2017-1000600 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 | |||||
| CVE-2017-1000510 | 1 Croogo | 1 Croogo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code. | |||||
| CVE-2017-1000509 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code. | |||||
| CVE-2017-1000508 | 1 Invoiceplane | 1 Invoiceplane | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later. | |||||
| CVE-2017-1000507 | 1 Cnvs | 1 Canvas | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code. | |||||
| CVE-2017-1000506 | 1 Mautic | 1 Mautic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code. | |||||
| CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | |||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | |||||
| CVE-2017-1000503 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. | |||||
| CVE-2017-1000502 | 1 Jenkins | 1 Ec2 | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators. | |||||
| CVE-2017-1000501 | 2 Awstats, Debian | 2 Awstats, Debian Linux | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. | |||||
| CVE-2017-1000499 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. | |||||
| CVE-2017-1000498 | 1 Androidsvg Project | 1 Androidsvg | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution | |||||
| CVE-2017-1000497 | 1 Pepperminty-wiki Project | 1 Pepperminty-wiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution | |||||