CVE Daily
← All years

All CVEs — 2017

Page 1/103.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2017-12-31
Medium

CVE-2017-18005

Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.

CVSS: 5.5 CWE: CWE-476
Read more
Medium

CVE-2017-18004

Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps/default/mapAndPoint.

CVSS: 5.4 CWE: CWE-79
Read more
Critical

CVE-2017-18001

Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, vi…

CVSS: 9.8 CWE: CWE-306
Read more
High

CVE-2017-17704

A door-unlocking issue was discovered on Software House iStar Ultra devices through 6.5.2.20569 when used in conjunction with the IP-ACM Ethernet Door Module. The communications between the IP-ACM an…

CVSS: 7.4 CWE: CWE-330
Read more
2017-12-30
Medium

CVE-2016-10704

Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17089

custom/run.cgi in Webmin before 1.870 allows remote authenticated administrators to conduct XSS attacks via the description field in the custom command functionality.

CVSS: 4.8 CWE: CWE-79
Read more
High

CVE-2017-17997

In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointer and crashes. This was addressed in epan/dissectors/packet-mrdisc.c by validating an IPv4 address. This vulnerability is similar…

CVSS: 7.5 CWE: CWE-476
Read more
Medium

CVE-2017-12813

PHPJabbers File Sharing Script 1.0 has stored XSS in the comments section.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-12812

PHPJabbers Night Club Booking Software has stored XSS in the name parameter in the reservations tab.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-12811

PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-12810

PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the admin panel.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17995

Biometric Shift Employee Management System has XSS via the Last_Name parameter in an index.php?user=ajax request.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2017-17994

Biometric Shift Employee Management System has XSS via the criteria parameter in an index.php?user=competency_criteria request.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2017-17993

Biometric Shift Employee Management System has XSS via the amount parameter in an index.php?user=addition_deduction request.

CVSS: 5.4 CWE: CWE-79
Read more
Critical

CVE-2017-17992

Biometric Shift Employee Management System allows Arbitrary File Download via directory traversal sequences in the index.php form_file_name parameter in a download_form action.

CVSS: 9.8 CWE: CWE-22
Read more
Medium

CVE-2017-17991

Biometric Shift Employee Management System has XSS via the expense_name parameter in an index.php?user=expenses request.

CVSS: 5.4 CWE: CWE-79
Read more
High

CVE-2017-17990

Biometric Shift Employee Management System has CSRF via index.php in an edit_holiday action.

CVSS: 8.8 CWE: CWE-352
Read more
Medium

CVE-2017-17989

Biometric Shift Employee Management System has XSS via the index.php holiday_name parameter in an edit_holiday action.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2017-17988

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_add.php event_title parameter.

CVSS: 4.8 CWE: CWE-79
Read more
High

CVE-2017-17987

PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file upload via admin/mydetails_edit.php.

CVSS: 7.2 CWE: CWE-434
Read more
Medium

CVE-2017-17986

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/caste_view.php comm_id parameter.

CVSS: 4.8 CWE: CWE-79
Read more
Medium

CVE-2017-17985

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/state_view.php cou_id parameter.

CVSS: 4.8 CWE: CWE-79
Read more
Medium

CVE-2017-17984

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event_edit.php edit_id parameter.

CVSS: 4.8 CWE: CWE-79
Read more
High

CVE-2017-17983

PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the view-profile.php mem_id parameter.

CVSS: 8.8 CWE: CWE-89
Read more
Medium

CVE-2017-17982

PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin_edit.php.

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2017-17981

PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slider_edit.php edit_id parameter.

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2017-17975

Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have un…

CVSS: 5.5 CWE: CWE-416
Read more
2017-12-29
High

CVE-2017-17901

ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1.

CVSS: 7.5 CWE: CWE-400
Read more
High

CVE-2015-8008

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API…

CVSS: 7.5 CWE: CWE-284
Read more
High

CVE-2015-3302

The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by…

CVSS: 7.5 CWE: CWE-284
Read more
Critical

CVE-2014-9515

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.

CVSS: 9.8 CWE: CWE-502
Read more
High

CVE-2014-8119

The find_ifcfg_path function in netcf before 0.2.7 might allow attackers to cause a denial of service (application crash) via vectors involving augeas path expressions.

CVSS: 7.5 CWE: CWE-20
Read more
Medium

CVE-2014-4978

The rs_filter_graph function in librawstudio/rs-filter.c in rawstudio might allow local users to truncate arbitrary files via a symlink attack on (1) /tmp/rs-filter-graph.png or (2) /tmp/rs-filter-gr…

CVSS: 5.5 CWE: CWE-59
Read more
Critical

CVE-2014-3630

XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of se…

CVSS: 9.8 CWE: CWE-611
Read more
Critical

CVE-2014-0121

The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.

CVSS: 9.8 CWE: CWE-287
Read more
High

CVE-2014-0120

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf se…

CVSS: 8.8 CWE: CWE-352
Read more
Medium

CVE-2013-4578

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper fi…

CVSS: 5.3 CWE: CWE-74
Read more
High

CVE-2017-17973

In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue

CVSS: 8.8 CWE: CWE-416
Read more
Medium

CVE-2017-17910

On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur tran…

CVSS: 6.5 CWE: CWE-330
Read more
Medium

CVE-2017-17971

The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17933

cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or 9021) in NetWin SurgeFTP version 23f2 has XSS via the classid, domainid, or username parameter.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17760

OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData function in grfmt_pxm.cpp, because an incorrect size value is used.

CVSS: 6.5 CWE: CWE-119
Read more
High

CVE-2017-17920

SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes th…

CVSS: 8.1 CWE: CWE-89
Read more
High

CVE-2017-17919

SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. NOTE: The vendor disputes t…

CVSS: 8.1 CWE: CWE-89
Read more
High

CVE-2017-17917

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. NOTE: The vendor disputes this i…

CVSS: 8.1 CWE: CWE-89
Read more
High

CVE-2017-17916

SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. NOTE: The vendor disputes th…

CVSS: 8.1 CWE: CWE-89
Read more
Critical

CVE-2017-17968

A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP respons…

CVSS: 9.8 CWE: CWE-119
Read more
Medium

CVE-2017-16876

Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape t…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2016-3695

The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disab…

CVSS: 5.5 CWE: CWE-74
Read more
High

CVE-2014-3651

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.

CVSS: 7.5 CWE: CWE-400
Read more
High

CVE-2013-7400

The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows remote attackers to obtain sensitive information by leveraging improper checking of authentication codes.

CVSS: 7.5 CWE: CWE-200
Read more
Critical

CVE-2014-4914

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.

CVSS: 9.8 CWE: CWE-89
Read more
2017-12-28
Medium

CVE-2017-17967

pptreader.dll in Kingsoft WPS Office 10.1.0.6930 allows remote attackers to cause a denial of service via a crafted PPT file, aka CNVD-2017-35482.

CVSS: 5.5 CWE: CWE-20
Read more
High

CVE-2017-17960

PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.

CVSS: 8.8 CWE: CWE-352
Read more
Critical

CVE-2017-17959

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid parameter.

CVSS: 9.8 CWE: CWE-89
Read more
Medium

CVE-2017-17958

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist.php fid parameter.

CVSS: 6.1 CWE: CWE-79
Read more
Critical

CVE-2017-17957

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter.

CVSS: 9.8 CWE: CWE-89
Read more
Medium

CVE-2017-17956

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17955

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17954

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17953

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter.

CVSS: 6.1 CWE: CWE-79
Read more
High

CVE-2017-17952

PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address.

CVSS: 8.6 CWE: CWE-20
Read more
Critical

CVE-2017-17951

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter.

CVSS: 9.8 CWE: CWE-89
Read more
High

CVE-2017-17950

Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter.

CVSS: 8.8 CWE: CWE-89
Read more
Medium

CVE-2017-17949

Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter.

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2017-17948

Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic request.

CVSS: 6.1 CWE: CWE-79
Read more
High

CVE-2017-15667

In Flexense SysGauge Server 3.6.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221.

CVSS: 7.5 CWE: CWE-20
Read more
Critical

CVE-2017-5641

Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is execute…

CVSS: 9.8 CWE: CWE-502
Read more
Medium

CVE-2017-15892

Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND…

CVSS: 5.4 CWE: CWE-79
Read more
Medium

CVE-2017-15886

Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.

CVSS: 6.5 CWE: CWE-918
Read more
High

CVE-2017-17942

In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c.

CVSS: 8.8 CWE: CWE-125
Read more
High

CVE-2017-17941

PHP Scripts Mall Single Theater Booking has SQL Injection via the admin/movieview.php movieid parameter.

CVSS: 7.2 CWE: CWE-89
Read more
Medium

CVE-2017-17940

PHP Scripts Mall Single Theater Booking has XSS via the title parameter to admin/sitesettings.php.

CVSS: 4.8 CWE: CWE-79
Read more
High

CVE-2017-17939

PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php.

CVSS: 8.8 CWE: CWE-352
Read more
Medium

CVE-2017-17938

PHP Scripts Mall Single Theater Booking has XSS via the admin/viewtheatre.php theatreid parameter.

CVSS: 4.8 CWE: CWE-79
Read more
Medium

CVE-2017-17937

Vanguard Marketplace Digital Products PHP has XSS via the phps_query parameter to /search.

CVSS: 6.1 CWE: CWE-79
Read more
High

CVE-2017-17936

Vanguard Marketplace Digital Products PHP has CSRF via /search.

CVSS: 8.8 CWE: CWE-352
Read more
Critical

CVE-2017-17932

A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on th…

CVSS: 9.8 CWE: CWE-119
Read more
Medium

CVE-2017-10910

MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may lead to an attacker causing a denial-of-service condition.

CVSS: 6.5 CWE: CWE-674
Read more
High

CVE-2015-3637

SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters.

CVSS: 8.1 CWE: CWE-89
Read more
Critical

CVE-2014-8389

cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with…

CVSS: 9.8 CWE: CWE-78
Read more
2017-12-27
Medium

CVE-2017-9608

The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file.

CVSS: 6.5 CWE: CWE-476
Read more
High

CVE-2017-11698

Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted…

CVSS: 7.8 CWE: CWE-119
Read more
High

CVE-2017-11697

The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted ce…

CVSS: 7.8 CWE: CWE-119
Read more
High

CVE-2017-11696

Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted c…

CVSS: 7.8 CWE: CWE-119
Read more
High

CVE-2017-11695

Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted ce…

CVSS: 7.8 CWE: CWE-119
Read more
Critical

CVE-2015-7669

Multiple directory traversal vulnerabilities in (1) includes/MapImportCSV2.php and (2) includes/MapImportCSV.php in the Easy2Map plugin before 1.3.0 for WordPress allow remote attackers to include an…

CVSS: 9.8 CWE: CWE-22
Read more
Medium

CVE-2015-7668

Cross-site scripting (XSS) vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.3.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_i…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2015-7667

Multiple cross-site scripting (XSS) vulnerabilities in (1) templates/admanagement/admanagement.php and (2) templates/adspot/adspot.php in the ResAds plugin before 1.0.2 for WordPress allow remote att…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2015-7666

Multiple cross-site scripting (XSS) vulnerabilities in the (1) cp_updateMessageItem and (2) cp_deleteMessageItem functions in cp_ppp_admin_int_message_list.inc.php in the Payment Form for PayPal Pro…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2015-7324

Multiple cross-site scripting (XSS) vulnerabilities in helpers/comment.php in the StackIdeas Komento (com_komento) component before 2.0.5 for Joomla! allow remote attackers to inject arbitrary web sc…

CVSS: 6.1 CWE: CWE-79
Read more
Critical

CVE-2015-6237

The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 before 7.2.6 allows remote attackers to bypass authentication and (1) enumerate users, (2) reset passwords, or (3) manipulate IP…

CVSS: 9.8 CWE: CWE-287
Read more
Medium

CVE-2017-16768

Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter.

CVSS: 4.8 CWE: CWE-79
Read more
High

CVE-2017-13056

The launchURL function in PDF-XChange Viewer 2.5 (Build 314.0) might allow remote attackers to execute arbitrary code via a crafted PDF file.

CVSS: 7.8 CWE: CWE-20
Read more
High

CVE-2016-6914

Ubiquiti UniFi Video before 3.8.0 for Windows uses weak permissions for the installation directory, which allows local users to gain SYSTEM privileges via a Trojan horse taskkill.exe file.

CVSS: 7.8 CWE: CWE-276
Read more
Critical

CVE-2017-9944

A vulnerability has been identified in Siemens 7KT PAC1200 data manager (7KT1260) in all versions < V2.03. The integrated web server (port 80/tcp) of the affected devices could allow an unauthenticat…

CVSS: 9.8 CWE: CWE-288
Read more
High

CVE-2017-7163

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privi…

CVSS: 7.8 CWE: CWE-119
Read more
High

CVE-2017-7162

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. watchOS before 4.2 is affected. The issue involves the…

CVSS: 7.8 CWE: CWE-119
Read more
High

CVE-2017-7160

An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected…

CVSS: 8.8 CWE: CWE-119
Read more
High

CVE-2017-7159

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "IOAcceleratorFamily" component. It allows attackers to execute arbitrary code in a privile…

CVSS: 7.8 CWE: CWE-119
Read more
Medium

CVE-2017-7158

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Screen Sharing Server" component. It allows attackers to obtain root privileges for readin…

CVSS: 6.5 CWE: CWE-119
Read more
High

CVE-2017-7157

An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected…

CVSS: 8.8 CWE: CWE-119
Read more
High

CVE-2017-7156

An issue was discovered in certain Apple products. iOS before 11.2 is affected. Safari before 11.0.2 is affected. iCloud before 7.2 on Windows is affected. iTunes before 12.7.2 on Windows is affected…

CVSS: 8.8 CWE: CWE-119
Read more
High

CVE-2017-7155

An issue was discovered in certain Apple products. macOS before 10.13.2 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to execute arbitrary code in a privi…

CVSS: 7.8 CWE: CWE-119
Read more
Medium

CVE-2017-7154

An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. tvOS before 11.2 is affected. The issue involves the "Kernel" component. It allows lo…

CVSS: 6.6 CWE: CWE-20
Read more
High

CVE-2017-17935

The File_read_line function in epan/wslua/wslua_file.c in Wireshark through 2.2.11 does not properly strip '\n' characters, which allows remote attackers to cause a denial of service (buffer underflo…

CVSS: 7.5 CWE: CWE-125
Read more
Medium

CVE-2017-17934

ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, related to MSLPopImage and ProcessMSLScript, and associated with mishandling of MSLPushImage calls.

CVSS: 6.5 CWE: CWE-772
Read more
Critical

CVE-2017-17931

PHP Scripts Mall Resume Clone Script has SQL Injection via the forget.php username parameter.

CVSS: 9.8 CWE: CWE-89
Read more
High

CVE-2017-17930

PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel.

CVSS: 8.8 CWE: CWE-352
Read more
Medium

CVE-2017-17929

PHP Scripts Mall Professional Service Script has XSS via the admin/bannerview.php view parameter.

CVSS: 4.8 CWE: CWE-79
Read more
Critical

CVE-2017-17928

PHP Scripts Mall Professional Service Script has SQL injection via the admin/review.php id parameter.

CVSS: 9.8 CWE: CWE-89
Read more
Medium

CVE-2017-17927

PHP Scripts Mall Professional Service Script allows remote attackers to obtain sensitive full-path information via a crafted PATH_INFO to service-list/category/.

CVSS: 5.3 CWE: CWE-22
Read more
Medium

CVE-2017-17926

PHP Scripts Mall Professional Service Script has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address.

CVSS: 5.3 CWE: CWE-200
Read more
Medium

CVE-2017-17925

PHP Scripts Mall Professional Service Script has XSS via the admin/general_settingupd.php website_title parameter.

CVSS: 4.8 CWE: CWE-79
Read more
Medium

CVE-2017-17924

PHP Scripts Mall Professional Service Script allows remote attackers to obtain sensitive full-path information via the id parameter to admin/review_userwise.php.

CVSS: 5.3 CWE: CWE-22
Read more
High

CVE-2017-17915

In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadMNGImage in coders/png.c, related to accessing one byte before testing whether a limit has been reached.

CVSS: 8.8 CWE: CWE-125
Read more
Medium

CVE-2017-17914

In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service (ReadOneMNGImage large loop) via a crafted…

CVSS: 6.5 CWE: CWE-834
Read more
High

CVE-2017-17913

In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to an incompatibility with libwebp versions, 0.5.0 and later, that use…

CVSS: 8.8 CWE: CWE-125
Read more
High

CVE-2017-17912

In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region.

CVSS: 8.8 CWE: CWE-125
Read more
Medium

CVE-2017-17911

packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?p=core/contact request, aka Open Bug Bounty ID OBB-278503.

CVSS: 6.1 CWE: CWE-79
Read more