All CVEs — 2018 (Page 119/120)

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0

2018-01-05

Critical

CVE-2017-16716

A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.

CVSS: 9.8 CWE: CWE-89

2018-01-04

High

CVE-2018-5220

In K7 Antivirus 15.1.0306, the driver file (K7Sentry.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from…

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5219

In K7 Antivirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from…

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5218

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5217

CVSS: 7.8 CWE: CWE-20

Medium

CVE-2018-5216

Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content parameter to an admin/pages/*/edit resource.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2018-5215

Fork CMS 5.0.7 has XSS in /private/en/pages/edit via the title parameter.

CVSS: 5.4 CWE: CWE-79

High

CVE-2017-17867

Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd configuration to specify an arbitrary progra…

CVSS: 8.8 CWE: CWE-732

Medium

CVE-2018-5214

The "Add Link to Facebook" plugin through 2.3 for WordPress has XSS via the al2fb_facebook_id parameter to wp-admin/profile.php.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2018-5213

The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload (aka Downloadable File) parameter in an edit action to wp-admin/post.php.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2018-5212

The Simple Download Monitor plugin before 3.5.4 for WordPress has XSS via the sdm_upload_thumbnail (aka File Thumbnail) parameter in an edit action to wp-admin/post.php.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2017-1727

IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 discloses sensitive information in error messages that could aid an attacker in further attacks against the system. IBM X-Force ID: 134869.

CVSS: 4.3 CWE: CWE-532

Low

CVE-2017-1699

IBM MQ Managed File Transfer Agent 8.0 and 9.0 sets insecure permissions on certain files it creates. A local attacker could exploit this vulnerability to modify or delete data contained in the files…

CVSS: 3.3 CWE: CWE-732

Medium

CVE-2017-1673

IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended f…

CVSS: 6.1 CWE: CWE-79

High

CVE-2017-1672

IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the w…

CVSS: 8.8 CWE: CWE-352

Low

CVE-2017-1669

IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server l…

CVSS: 3.7 CWE: CWE-200

Medium

CVE-2017-1665

IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 133559.

CVSS: 5.9 CWE: CWE-326

Medium

CVE-2017-1664

IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 133557.

CVSS: 5.9 CWE: CWE-326

High

CVE-2017-14960

xDashboard in OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) v4.5SP1 Patch 13 has SQL Injection.

CVSS: 7.5 CWE: CWE-89

Medium

CVE-2017-17837

The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the windowId handling. The default size of the windowId get's cut off after 10 characters (by default), so the impact might be limit…

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2017-15714

The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this cod…

CVSS: 9.8 CWE: CWE-74

Medium

CVE-2018-0803

Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to access information from one domain and inject it into another domain, due to how Mic…

CVSS: 4.2 CWE: CWE-863

Medium

CVE-2018-0800

Microsoft Edge in Microsoft Windows 10 1709 allows an attacker to obtain information to further compromise the user's system, due to how the scripting engine handles objects in memory, aka "Scripting…

CVSS: 5.3 CWE: CWE-200

High

CVE-2018-0781

Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine han…

CVSS: 7.5 CWE: CWE-787

Medium

CVE-2018-0780

Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the scripting…

CVSS: 5.3 CWE: CWE-125

High

CVE-2018-0778

Microsoft Edge in Windows 10 1709 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Mem…

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0777

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0776

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0775

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0774

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0773

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0772

Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold,…

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0770

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0769

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0768

CVSS: 7.5 CWE: CWE-787

Medium

CVE-2018-0767

Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the scripting engin…

CVSS: 5.3 CWE: CWE-125

Medium

CVE-2018-0766

CVSS: 4.3 CWE: CWE-200

High

CVE-2018-0762

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0758

CVSS: 7.5 CWE: CWE-787

High

CVE-2018-0752

The Windows Kernel API in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of p…

CVSS: 7.8 CWE: CWE-732

High

CVE-2018-0751

CVSS: 7.1 CWE: CWE-269

High

CVE-2018-0748

The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Window…

CVSS: 7.8 CWE: CWE-269

Medium

CVE-2018-0746

The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclo…

CVSS: 4.7 CWE: CWE-665

Medium

CVE-2018-0745

The Windows kernel in Windows 10 version 1703. Windows 10 version 1709, and Windows Server, version 1709 allows an information disclosure vulnerability due to the way objects are handled in memory, a…

CVSS: 4.7 CWE: CWE-665

Medium

CVE-2017-5754

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel a…

CVSS: 5.6 CWE: CWE-200

Medium

CVE-2017-5753

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVSS: 5.6 CWE: CWE-203

Medium

CVE-2017-5715

CVSS: 5.6 CWE: CWE-203

High

CVE-2018-5210

On Samsung mobile devices with N(7.x) software and Exynos chipsets, attackers can conduct a Trustlet stack overflow attack for arbitrary TEE code execution, in conjunction with a brute-force attack t…

CVSS: 8.1 CWE: CWE-787

Medium

CVE-2018-1190

An issue was discovered in these Pivotal Cloud Foundry products: all versions prior to cf-release v270, UAA v3.x prior to v3.20.2, and UAA bosh v30.x versions prior to v30.8 and all other versions pr…

CVSS: 6.1 CWE: CWE-79

High

CVE-2018-0114

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerabi…

CVSS: 7.5 CWE: CWE-347

Critical

CVE-2018-0104

A vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow a remote attacker to execute arbitrary code on the system of a targeted user. The attacke…

CVSS: 9.6 CWE: CWE-20

High

CVE-2018-0103

A Buffer Overflow vulnerability in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files could allow a local attacker to execute arbitrary code on the system of a user. The a…

CVSS: 7.8 CWE: CWE-119

Critical

CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use s…

CVSS: 9.8 CWE: CWE-20

High

CVE-2017-18020

On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and Exynos chipsets, attackers can execute arbitrary code in the bootloader because S Boot omits a size check during a copy of ramfs…

CVSS: 8.4 CWE: CWE-20

Medium

CVE-2017-14383

In Dell EMC VNX2 versions prior to Operating Environment for File 8.1.9.217 and VNX1 versions prior to Operating Environment for File 7.1.80.8, a web server error page in VNX Control Station is impac…

CVSS: 6.1 CWE: CWE-79

High

CVE-2017-18019

In K7 Total Security before 15.1.0.305, user-controlled input to the K7Sentry device is not sufficiently sanitized: the user-controlled input can be used to compare an arbitrary memory address with a…

CVSS: 7.1 CWE: CWE-20

High

CVE-2017-18018

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify…

CVSS: 7.1 CWE: CWE-362

2018-01-03

High

CVE-2018-5088

In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from…

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5087

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5086

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5085

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5084

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5083

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5082

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5081

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5080

CVSS: 7.8 CWE: CWE-20

High

CVE-2018-5079

CVSS: 7.8 CWE: CWE-20

Medium

CVE-2018-5078

Online Ticket Booking has XSS via the admin/eventlist.php cast parameter.

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2018-5077

Online Ticket Booking has XSS via the admin/movieedit.php moviename parameter.

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2018-5076

Online Ticket Booking has XSS via the admin/newsedit.php newstitle parameter.

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2018-5075

Online Ticket Booking has XSS via the admin/snacks_edit.php snacks_name parameter.

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2018-5074

Online Ticket Booking has XSS via the admin/manageownerlist.php contact parameter.

CVSS: 4.8 CWE: CWE-79

Medium

CVE-2018-5073

Online Ticket Booking has CSRF via admin/movieedit.php.

CVSS: 6.8 CWE: CWE-352

Medium

CVE-2018-5072

Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter.

CVSS: 4.8 CWE: CWE-79

Critical

CVE-2017-1000487

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

CVSS: 9.8 CWE: CWE-78

Critical

CVE-2017-1000486

Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

CVSS: 9.8 CWE: CWE-326

High

CVE-2017-1000485

Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations.

CVSS: 7.8 CWE: CWE-732

Medium

CVE-2017-1000484

By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his ow…

CVSS: 6.1 CWE: CWE-601

High

CVE-2017-1000473

Linux Dash up to version v2 is vulnerable to multiple command injection vulnerabilities in the way module names are parsed and then executed resulting in code execution on the server, potentially as…

CVSS: 7.8 CWE: CWE-78

Medium

CVE-2017-1000472

The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct abso…

CVSS: 6.5 CWE: CWE-22

Critical

CVE-2017-1000471

EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service.

CVSS: 9.8 CWE: CWE-476

High

CVE-2017-1000470

EmbedThis GoAhead Webserver versions 4.0.0 and earlier is vulnerable to an integer overflow in the HTTP listener resulting in denial of service.

CVSS: 7.5 CWE: CWE-190

Critical

CVE-2017-1000469

Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

CVSS: 9.8 CWE: CWE-20

Medium

CVE-2017-1000462

BookStack version 0.18.4 is vulnerable to stored cross-site scripting, within the page creation page, which can result in disruption of service and execution of javascript code.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2017-1000461

Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the "JS fingerprinting blocking" component, resulting in a malicious website being…

CVSS: 4.7 CWE: CWE-732

Medium

CVE-2017-1000460

In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(&gb) is called on an uninitialized g…

CVSS: 6.5 CWE: CWE-476

Medium

CVE-2017-1000482

A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2017-1000481

When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you t…

CVSS: 6.1 CWE: CWE-601

Critical

CVE-2017-1000480

Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name.

CVSS: 9.8 CWE: CWE-94

High

CVE-2017-1000479

pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Fram…

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2017-1000478

ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in the experiment infos component resulting in arbitrary execution of JavaScript and denial of service.

CVSS: 5.4 CWE: CWE-79

High

CVE-2017-1000477

XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks.

CVSS: 7.5 CWE: CWE-611

Medium

CVE-2017-1000476

ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.

CVSS: 6.5 CWE: CWE-400

Medium

CVE-2017-1000490

Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user…

CVSS: 6.5 CWE: CWE-22

High

CVE-2017-1000489

Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address

CVSS: 8.1 CWE: CWE-287

Medium

CVE-2017-1000488

Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form.

CVSS: 6.1 CWE: CWE-79

Critical

CVE-2017-1000501

Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.

CVSS: 9.8 CWE: CWE-22

Medium

CVE-2017-1000467

LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code.

CVSS: 5.4 CWE: CWE-79

High

CVE-2017-1000499

phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as dele…

CVSS: 8.8 CWE: CWE-352

High

CVE-2017-1000498

AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution

CVSS: 7.8 CWE: CWE-611

Critical

CVE-2017-1000497

Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution

CVSS: 9.8 CWE: CWE-611

High

CVE-2017-1000496

Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.

CVSS: 8.8 CWE: CWE-611

Medium

CVE-2017-1000495

QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripting in the user's real name field resulting in denial of service and performing unauthorised actions with an administrator user's…

CVSS: 5.4 CWE: CWE-79

High

CVE-2017-1000494

Uninitialized stack variable vulnerability in NameValueParserEndElt (upnpreplyparse.c) in miniupnpd < 2.0 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or p…

CVSS: 7.8 CWE: CWE-119

Medium

CVE-2018-4868

The Exiv2::Jp2Image::readMetadata function in jp2image.cpp in Exiv2 0.26 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file.

CVSS: 5.5 CWE: CWE-770

High

CVE-2018-4862

In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an authenticated user with ProcessEdit permission could reference an Azure account in such a way as to bypass the scoping restrictions, res…

CVSS: 8.8 CWE: CWE-269

Critical

CVE-2017-18017

The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memor…

CVSS: 9.8 CWE: CWE-416

Critical

CVE-2017-1000493

Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover

CVSS: 9.8 CWE: CWE-74

Medium

CVE-2017-1000492

Leanote-desktop version v2.5 is vulnerable to a XSS which leads to code execution due to enabled node integration

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2017-1000491

Shiba markdown live preview app version 1.1.0 is vulnerable to XSS which leads to code execution due to enabled node integration.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2017-1000466

Invoice Ninja version 3.8.1 is vulnerable to stored cross-site scripting vulnerability, within the invoice creation page, which can result in disruption of service and execution of javascript code.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2017-1000463

Leafpub version 1.2.0-beta6 is vulnerable to stored cross-site scripting vulnerability, within the edit blog post page, which can result in disruption of service and execution of javascript code.

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2017-1000459

Leanote version <= 2.5 is vulnerable to XSS due to not sanitized input in markdown notes

CVSS: 6.1 CWE: CWE-79

2018-01-02

Critical

CVE-2017-1000437

Creolabs Gravity 1.0 contains a stack based buffer overflow in the operator_string_add function, resulting in remote code execution.

CVSS: 9.8 CWE: CWE-119

Medium

CVE-2017-1000434

Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redirect The furikake-redirect parameter on a page allows for a redirect to an attacker controlled page classes/Furigana.php: header('…

CVSS: 6.1 CWE: CWE-601

High

CVE-2017-1000433

pysaml2 version 4.4.0 and older accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password.

CVSS: 8.1 CWE: CWE-287

High

CVE-2017-1000432

Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting topics and comments from forums Admin access

CVSS: 8.0 CWE: CWE-352

Medium

CVE-2017-1000427

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2017-1000425

Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp page in Liferay Portal CE 7.0 GA4 and older allows remote attackers to inject arbitrary web script or HTML via a javascript: URI…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2017-1000426

MapProxy version 1.10.3 and older is vulnerable to a Cross Site Scripting attack in the demo service resulting in possible information disclosure.

CVSS: 6.1 CWE: CWE-79