CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5301 CVE-2017-5192 287 Bypass 2017-09-26 2017-10-06
6.5
None Remote Low Single system Partial Partial Partial
When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed.
5302 CVE-2017-5187 352 CSRF 2017-08-21 2017-08-28
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 and earlier, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote unauthenticated attackers to view and alter (CWE-275) configuration information and inject OS commands (CWE-78) via forged requests.
5303 CVE-2017-5176 264 +Priv 2017-05-18 2017-06-02
6.2
None Local High Not required Complete Complete Complete
A DLL Hijack issue was discovered in Rockwell Automation Connected Components Workbench (CCW). The following versions are affected: Connected Components Workbench - Developer Edition, v9.01.00 and earlier: 9328-CCWDEVENE, 9328-CCWDEVZHE, 9328-CCWDEVFRE, 9328-CCWDEVITE, 9328-CCWDEVDEE, 9328-CCWDEVESE, and 9328-CCWDEVPTE; and Connected Components Workbench - Free Standard Edition (All Supported Languages), v9.01.00 and earlier. Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim's affected personal computer. Such access rights can be at the same or potentially higher level of privileges as the compromised user account, including and up to computer administrator privileges.
5304 CVE-2017-5175 427 Exec Code 2018-05-09 2018-06-18
6.8
None Remote Medium Not required Partial Partial Partial
Advantech WebAccess 8.1 and earlier contains a DLL hijacking vulnerability which may allow an attacker to run a malicious DLL file within the search path resulting in execution of arbitrary code.
5305 CVE-2017-5170 427 2018-01-18 2018-02-06
6.5
None Remote Low Single system Partial Partial Partial
An Uncontrolled Search Path Element issue was discovered in Moxa SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. The attacker needs to have administrative access to the default install location in order to plant the insecure DLL. Once loaded by the application, the DLL could run malicious code at the privilege level of the application.
5306 CVE-2017-5165 352 CSRF 2017-02-13 2017-02-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
5307 CVE-2017-5156 352 CSRF 2017-04-20 2017-04-26
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery issue was discovered in Schneider Electric Wonderware InTouch Access Anywhere, version 11.5.2 and prior. The client request may be forged from a different site. This will allow an external site to access internal RDP systems on behalf of the currently logged in user.
5308 CVE-2017-5152 287 Bypass 2017-02-13 2017-11-02
6.4
None Remote Low Not required Partial Partial None
An issue was discovered in Advantech WebAccess Version 8.1. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted (AUTHENTICATION BYPASS).
5309 CVE-2017-5149 284 2017-02-13 2017-03-16
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in St. Jude Medical [email protected], versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical's web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints.
5310 CVE-2017-5142 264 2017-02-13 2017-02-16
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. A user with low privileges is able to open and change the parameters by accessing a specific URL because of Improper Privilege Management.
5311 CVE-2017-5141 384 2017-02-13 2017-02-17
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION).
5312 CVE-2017-5135 284 Bypass 2017-04-27 2017-05-11
6.4
None Remote Low Not required Partial Partial None
Certain Technicolor devices have an SNMP access-control bypass, possibly involving an ISP customization in some cases. The Technicolor (formerly Cisco) DPC3928SL with firmware D3928SL-P15-13-A386-c3420r55105-160127a could be reached by any SNMP community string from the Internet; also, you can write in the MIB because it provides write properties, aka Stringbleed. NOTE: the string-bleed/StringBleed-CVE-2017-5135 GitHub repository is not a valid reference as of 2017-04-27; it contains Trojan horse code purported to exploit this vulnerability.
5313 CVE-2017-5133 787 Exec Code +Info 2018-02-07 2018-12-11
6.8
None Remote Medium Not required Partial Partial Partial
Off-by-one read/write on the heap in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to corrupt memory and possibly leak information and potentially execute code via a crafted PDF file.
5314 CVE-2017-5132 119 Overflow 2018-02-07 2018-02-23
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka incorrect WebAssembly stack manipulation.
5315 CVE-2017-5131 190 Overflow 2018-02-07 2018-02-22
6.8
None Remote Medium Not required Partial Partial Partial
An integer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, aka an out-of-bounds write.
5316 CVE-2017-5130 787 Overflow Mem. Corr. 2018-02-07 2019-07-19
6.8
None Remote Medium Not required Partial Partial Partial
An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in Google Chrome prior to 62.0.3202.62 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file.
5317 CVE-2017-5129 416 2018-02-07 2018-02-22
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in WebAudio in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5318 CVE-2017-5128 119 Overflow 2018-02-07 2018-02-23
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in Blink in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page, related to WebGL.
5319 CVE-2017-5127 416 2018-02-07 2018-02-23
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
5320 CVE-2017-5126 416 2018-02-07 2018-02-22
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
5321 CVE-2017-5125 119 Overflow 2018-02-07 2018-02-23
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in Skia in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
5322 CVE-2017-5122 119 Overflow 2017-10-27 2017-12-08
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate use of table size handling in V8 in Google Chrome prior to 61.0.3163.100 for Windows allowed a remote attacker to trigger out-of-bounds access via a crafted HTML page.
5323 CVE-2017-5121 20 Exec Code 2017-10-27 2017-12-08
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate use of JIT optimisation in V8 in Google Chrome prior to 61.0.3163.100 for Linux, Windows, and Mac allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, related to the escape analysis phase.
5324 CVE-2017-5116 704 Exec Code 2017-10-27 2018-01-19
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in V8 in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
5325 CVE-2017-5115 704 2017-10-27 2017-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in V8 in Google Chrome prior to 61.0.3163.79 for Windows allowed a remote attacker to potentially exploit object corruption via a crafted HTML page.
5326 CVE-2017-5114 119 Overflow Mem. Corr. 2017-10-27 2017-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Inappropriate use of partition alloc in PDFium in Google Chrome prior to 61.0.3163.79 for Linux, Windows, and Mac, and 61.0.3163.81 for Android, allowed a remote attacker to potentially exploit memory corruption via a crafted PDF file.
5327 CVE-2017-5113 119 Overflow 2017-10-27 2017-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Math overflow in Skia in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
5328 CVE-2017-5112 119 Exec Code Overflow 2017-10-27 2017-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Heap buffer overflow in WebGL in Google Chrome prior to 61.0.3163.79 for Windows allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
5329 CVE-2017-5111 416 Mem. Corr. 2017-10-27 2017-12-30
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in PDFium in Google Chrome prior to 61.0.3163.79 for Linux, Windows, and Mac allowed a remote attacker to potentially exploit memory corruption via a crafted PDF file.
5330 CVE-2017-5108 704 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in PDFium in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to potentially maliciously modify objects via a crafted PDF file.
5331 CVE-2017-5100 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in Apps in Google Chrome prior to 60.0.3112.78 for Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5332 CVE-2017-5099 20 +Priv 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in PPAPI Plugins in Google Chrome prior to 60.0.3112.78 for Mac allowed a remote attacker to potentially gain privilege elevation via a crafted HTML page.
5333 CVE-2017-5098 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in V8 in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5334 CVE-2017-5097 20 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in Skia in Google Chrome prior to 60.0.3112.78 for Linux allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5335 CVE-2017-5095 119 Overflow 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Stack overflow in PDFium in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to potentially exploit stack corruption via a crafted PDF file.
5336 CVE-2017-5092 20 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in PPAPI Plugins in Google Chrome prior to 60.0.3112.78 for Windows allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
5337 CVE-2017-5091 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in IndexedDB in Google Chrome prior to 60.0.3112.78 for Linux, Android, Windows, and Mac allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5338 CVE-2017-5088 125 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in V8 in Google Chrome prior to 59.0.3071.104 for Mac, Windows, and Linux, and 59.0.3071.117 for Android, allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.
5339 CVE-2017-5087 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in Blink in Google Chrome prior to 59.0.3071.104 for Mac, Windows, and Linux, and 59.0.3071.117 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page, aka an IndexedDB sandbox escape.
5340 CVE-2017-5080 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in credit card autofill in Google Chrome prior to 59.0.3071.86 for Linux and Windows allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5341 CVE-2017-5078 77 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in Blink's mailto: handling in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac allowed a remote attacker to perform command injection via a crafted HTML page, a similar issue to CVE-2004-0121. For example, characters such as * have an incorrect interaction with xdg-email in xdg-utils, and a space character can be used in front of a command-line argument.
5342 CVE-2017-5077 125 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in Skia in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5343 CVE-2017-5073 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Use after free in print preview in Blink in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5344 CVE-2017-5071 125 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Insufficient validation of untrusted input in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows and Mac, and 59.0.3071.92 for Android allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5345 CVE-2017-5070 704 Exec Code 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
5346 CVE-2017-5064 119 Overflow 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Incorrect handling of DOM changes in Blink in Google Chrome prior to 58.0.3029.81 for Windows allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
5347 CVE-2017-5063 125 Overflow 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A numeric overflow in Skia in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac, and 58.0.3029.83 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
5348 CVE-2017-5062 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in Chrome Apps in Google Chrome prior to 58.0.3029.81 for Mac, Windows, and Linux, and 58.0.3029.83 for Android, allowed a remote attacker to potentially perform out of bounds memory access via a crafted Chrome extension.
5349 CVE-2017-5059 704 Exec Code 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Type confusion in Blink in Google Chrome prior to 58.0.3029.81 for Linux, Windows, and Mac, and 58.0.3029.83 for Android, allowed a remote attacker to potentially obtain code execution via a crafted HTML page.
5350 CVE-2017-5058 416 2017-10-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
A use after free in PrintPreview in Google Chrome prior to 58.0.3029.81 for Windows allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.