| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
6151 |
CVE-2017-5975 |
119 |
|
DoS Overflow |
2017-03-01 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in the __zzip_get64 function in fetch.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (crash) via a crafted ZIP file. |
|
6152 |
CVE-2017-5974 |
119 |
|
DoS Overflow |
2017-03-01 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in the __zzip_get32 function in fetch.c in zziplib 0.13.62 allows remote attackers to cause a denial of service (crash) via a crafted ZIP file. |
|
6153 |
CVE-2017-5966 |
22 |
|
Dir. Trav. |
2017-05-23 |
2017-06-08 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter. |
|
6154 |
CVE-2017-5964 |
79 |
|
Exec Code XSS |
2017-02-11 |
2017-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Emoncms through 9.8.0. The vulnerability exists due to insufficient filtration of user-supplied data in multiple HTTP GET parameters passed to the "emoncms-master/Modules/vis/visualisations/compare.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
6155 |
CVE-2017-5963 |
79 |
|
Exec Code XSS |
2017-02-11 |
2017-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulnerability exists due to insufficient filtration of user-supplied data in the "paymillToken" HTTP POST parameter passed to the "caddy/Resources/Public/JavaScript/e-payment/paymill/api/php/payment.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
6156 |
CVE-2017-5962 |
79 |
|
Exec Code XSS |
2017-02-11 |
2017-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. The vulnerability exists due to insufficient filtration of user-supplied data in the "force_ua" HTTP GET parameter passed to the "/contexts_wurfl/Library/wurfl-dbapi-1.4.4.0/check_wurfl.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
6157 |
CVE-2017-5961 |
79 |
|
Exec Code XSS |
2017-02-11 |
2017-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in ionize through 1.0.8. The vulnerability exists due to insufficient filtration of user-supplied data in the "path" HTTP GET parameter passed to the "ionize-master/themes/admin/javascript/tinymce/jscripts/tiny_mce/plugins/codemirror/dialog.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
6158 |
CVE-2017-5960 |
79 |
|
Exec Code XSS |
2017-02-11 |
2017-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Phalcon Eye through 0.4.1. The vulnerability exists due to insufficient filtration of user-supplied data in multiple HTTP GET parameters passed to the "phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
6159 |
CVE-2017-5951 |
476 |
|
DoS |
2017-04-03 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. |
|
6160 |
CVE-2017-5950 |
119 |
|
DoS Overflow |
2017-04-03 |
2017-04-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) 0.5.3 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. |
|
6161 |
CVE-2017-5948 |
284 |
|
|
2017-05-11 |
2017-05-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. OxygenOS and HydrogenOS are vulnerable to downgrade attacks. This is due to a lenient 'updater-script' in OTAs that does not check that the current version is lower than or equal to the given image's. Downgrades can occur even on locked bootloaders and without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, a physical attacker can reboot the phone into recovery, and then use 'adb sideload' to push the OTA (on OnePlus 3/3T 'Secure Start-up' must be off). |
|
6162 |
CVE-2017-5947 |
254 |
|
|
2018-03-29 |
2018-04-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS 5.0 and earlier. The attacker can reboot the device into the Qualcomm Emergency Download (EDL) mode through ADB or by using Volume-Up when connected to USB, which in turn could allow for downgrading partitions such as the Android Bootloader. |
|
6163 |
CVE-2017-5945 |
79 |
|
Exec Code XSS |
2017-02-10 |
2017-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in the PoodLL Filter plugin through 3.0.20 for Moodle. The vulnerability exists due to insufficient filtration of user-supplied data in the "poodll_audio_url" HTTP GET parameter passed to the "filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazil/index.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
6164 |
CVE-2017-5942 |
79 |
|
XSS |
2017-02-10 |
2018-05-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in the WP Mail plugin before 1.2 for WordPress. The replyto parameter when composing a mail allows for a reflected XSS. This would allow you to execute JavaScript in the context of the user receiving the mail. |
|
6165 |
CVE-2017-5940 |
284 |
|
|
2017-02-09 |
2018-09-20 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180. |
|
6166 |
CVE-2017-5938 |
79 |
|
XSS |
2017-03-15 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. |
|
6167 |
CVE-2017-5934 |
79 |
|
XSS |
2018-10-15 |
2018-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the link dialogue in GUI editor in MoinMoin before 1.9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
6168 |
CVE-2017-5933 |
200 |
|
+Info |
2017-02-08 |
2017-03-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11.0 before Build 69.12/69.123, and 11.1 before Build 51.21 randomly generates GCM nonces, which makes it marginally easier for remote attackers to obtain the GCM authentication key and spoof data by leveraging a reused nonce in a session and a "forbidden attack," a similar issue to CVE-2016-0270. |
|
6169 |
CVE-2017-5932 |
20 |
|
+Priv |
2017-03-27 |
2017-03-31 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The path autocompletion feature in Bash 4.4 allows local users to gain privileges via a crafted filename starting with a " (double quote) character and a command substitution metacharacter. |
|
6170 |
CVE-2017-5928 |
361 |
|
|
2017-02-27 |
2017-03-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The W3C High Resolution Time API, as implemented in various web browsers, does not consider that memory-reference times can be measured by a performance.now "Time to Tick" approach even with the https://bugzilla.mozilla.org/show_bug.cgi?id=1167489#c9 protection mechanism in place, which makes it easier for remote attackers to conduct AnC attacks via crafted JavaScript code. |
|
6171 |
CVE-2017-5919 |
295 |
|
+Info |
2017-05-05 |
2017-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The 21st Century Insurance app 10.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6172 |
CVE-2017-5918 |
295 |
|
+Info |
2017-05-05 |
2017-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Banco de Costa Rica BCR Movil app 3.7 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6173 |
CVE-2017-5916 |
295 |
|
+Info |
2017-05-05 |
2017-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The America's First Federal Credit Union (FCU) Mobile Banking app 3.1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6174 |
CVE-2017-5915 |
295 |
|
+Info |
2017-05-05 |
2017-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Emirates NBD Bank P.J.S.C Emirates NBD KSA app 3.10.0 through 3.10.4 (UAE) and 2.0.1 through 2.1.0 (KSA) for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6175 |
CVE-2017-5914 |
295 |
|
+Info |
2017-05-05 |
2017-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The DOT IT Banque Zitouna app 2.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6176 |
CVE-2017-5913 |
295 |
|
+Info |
2017-05-05 |
2017-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The TradeKing Forex for iPhone app 1.2.1 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6177 |
CVE-2017-5912 |
295 |
|
+Info |
2017-05-05 |
2017-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The FOREX.com FOREXTrader for iPhone app 2.9.12 through 2.9.14 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6178 |
CVE-2017-5911 |
295 |
|
+Info |
2017-05-05 |
2017-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Banco Santander Mexico SA Supermovil app 3.5 through 3.7 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6179 |
CVE-2017-5909 |
295 |
|
+Info |
2017-05-05 |
2017-05-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Electronic Funds Source (EFS) Mobile Driver Source app 2.5 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6180 |
CVE-2017-5907 |
295 |
|
+Info |
2017-05-05 |
2017-05-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Great Southern Bank Great Southern Mobile Banking app before 4.0.4 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6181 |
CVE-2017-5906 |
295 |
|
+Info |
2017-05-05 |
2017-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Everyday Health Diabetes in Check: Blood Glucose & Carb Tracker app 3.4.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6182 |
CVE-2017-5905 |
295 |
|
+Info |
2017-05-05 |
2017-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Dollar Bank Mobile app 2.6.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6183 |
CVE-2017-5902 |
295 |
|
+Info |
2017-05-05 |
2017-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The PayQuicker app 1.0.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6184 |
CVE-2017-5901 |
295 |
|
+Info |
2017-05-05 |
2017-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The State Bank of India State Bank Anywhere app 5.1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6185 |
CVE-2017-5896 |
125 |
|
DoS Overflow |
2017-02-15 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in the fz_subsample_pixmap function in fitz/pixmap.c in MuPDF 1.10a allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted image. |
|
6186 |
CVE-2017-5882 |
79 |
|
XSS |
2017-02-04 |
2017-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in index.asp in SANADATA SanaCMS 7.3 allows remote attackers to inject arbitrary web script or HTML via the search parameter. |
|
6187 |
CVE-2017-5880 |
20 |
|
DoS |
2017-02-04 |
2017-03-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
Splunk Web in Splunk Enterprise versions 6.5.x before 6.5.2, 6.4.x before 6.4.5, 6.3.x before 6.3.9, 6.2.x before 6.2.13, 6.1.x before 6.1.12, 6.0.x before 6.0.13, 5.0.x before 5.0.17 and Splunk Light versions before 6.5.2 allows remote authenticated users to cause a denial of service (daemon crash) via a crafted GET request, aka SPL-130279. |
|
6188 |
CVE-2017-5877 |
79 |
|
XSS |
2017-02-06 |
2017-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /about-us/locations/index direction parameter. |
|
6189 |
CVE-2017-5876 |
79 |
|
XSS |
2017-02-06 |
2017-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack against the /news-events/events date parameter. |
|
6190 |
CVE-2017-5873 |
428 |
|
+Priv |
2017-04-11 |
2017-04-17 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unquoted Windows search path vulnerability in the guest service in Unisys s-Par before 4.4.20 allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory, as demonstrated by program.exe. |
|
6191 |
CVE-2017-5868 |
93 |
|
Http R.Spl. |
2017-05-25 |
2017-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATH_INFO to __session_start__/. |
|
6192 |
CVE-2017-5867 |
399 |
|
DoS |
2017-03-03 |
2017-03-07 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file. |
|
6193 |
CVE-2017-5866 |
200 |
|
+Info |
2017-03-03 |
2017-03-07 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors. |
|
6194 |
CVE-2017-5865 |
200 |
|
+Info |
2017-03-03 |
2017-03-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts. |
|
6195 |
CVE-2017-5858 |
346 |
|
|
2017-02-09 |
2017-02-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4). |
|
6196 |
CVE-2017-5857 |
399 |
|
DoS |
2017-03-16 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. |
|
6197 |
CVE-2017-5856 |
399 |
|
DoS |
2017-03-16 |
2018-09-07 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. |
|
6198 |
CVE-2017-5855 |
476 |
|
DoS |
2017-03-01 |
2017-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. |
|
6199 |
CVE-2017-5854 |
476 |
|
DoS |
2017-03-01 |
2017-03-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. |
|
6200 |
CVE-2017-5852 |
20 |
|
DoS |
2017-03-01 |
2017-03-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file. |
