Total
309430 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000496 | 1 Commsy | 1 Commsy | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code. | |||||
| CVE-2017-1000495 | 1 Quickappscms | 1 Quickapps Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripting in the user's real name field resulting in denial of service and performing unauthorised actions with an administrator user's account | |||||
| CVE-2017-1000494 | 1 Miniupnp Project | 1 Miniupnpd | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Uninitialized stack variable vulnerability in NameValueParserEndElt (upnpreplyparse.c) in miniupnpd < 2.0 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impact | |||||
| CVE-2017-1000493 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover | |||||
| CVE-2017-1000492 | 1 Leanote | 1 Desktop | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Leanote-desktop version v2.5 is vulnerable to a XSS which leads to code execution due to enabled node integration | |||||
| CVE-2017-1000491 | 1 Shiba Project | 1 Shiba | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shiba markdown live preview app version 1.1.0 is vulnerable to XSS which leads to code execution due to enabled node integration. | |||||
| CVE-2017-1000490 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to. | |||||
| CVE-2017-1000489 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address | |||||
| CVE-2017-1000488 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. | |||||
| CVE-2017-1000487 | 2 Codehaus-plexus, Debian | 2 Plexus-utils, Debian Linux | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. | |||||
| CVE-2017-1000485 | 1 Nylas Mail Lives Project | 1 Nylas Mail | 2024-11-21 | 2.1 LOW | 7.8 HIGH |
| Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations. | |||||
| CVE-2017-1000484 | 1 Plone | 1 Plone | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.) | |||||
| CVE-2017-1000483 | 1 Plone | 1 Plone | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5. | |||||
| CVE-2017-1000482 | 1 Plone | 1 Plone | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page. | |||||
| CVE-2017-1000481 | 1 Plone | 1 Plone | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix. | |||||
| CVE-2017-1000480 | 1 Smarty | 1 Smarty | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | |||||
| CVE-2017-1000479 | 2 Netgate, Opnsense Project | 2 Pfsense, Opnsense | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions. | |||||
| CVE-2017-1000478 | 1 Elabftw | 1 Elabftw | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in the experiment infos component resulting in arbitrary execution of JavaScript and denial of service. | |||||
| CVE-2017-1000477 | 1 Xmlbundle Project | 1 Xmlbundle | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks. | |||||
| CVE-2017-1000476 | 3 Canonical, Debian, Imagemagick | 3 Ubuntu Linux, Debian Linux, Imagemagick | 2024-11-21 | 7.1 HIGH | 6.5 MEDIUM |
| ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. | |||||