| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
17701 |
CVE-2017-18497 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The liveforms plugin before 3.4.0 for WordPress has XSS. |
|
17702 |
CVE-2017-18496 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. |
|
17703 |
CVE-2017-18495 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress has XSS. |
|
17704 |
CVE-2017-18494 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The custom-search-plugin plugin before 1.36 for WordPress has multiple XSS issues. |
|
17705 |
CVE-2017-18493 |
79 |
|
XSS |
2019-08-13 |
2019-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The custom-admin-page plugin before 0.1.2 for WordPress has multiple XSS issues. |
|
17706 |
CVE-2017-18492 |
79 |
|
XSS |
2019-08-13 |
2019-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The contact-form-to-db plugin before 1.5.7 for WordPress has multiple XSS issues. |
|
17707 |
CVE-2017-18491 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The contact-form-plugin plugin before 4.0.6 for WordPress has multiple XSS issues. |
|
17708 |
CVE-2017-18490 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues. |
|
17709 |
CVE-2017-18489 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS. |
|
17710 |
CVE-2017-18488 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS issues. |
|
17711 |
CVE-2017-18487 |
79 |
|
XSS |
2019-08-13 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPress has multiple XSS issues. |
|
17712 |
CVE-2017-18486 |
332 |
|
|
2019-08-09 |
2019-08-19 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user. |
|
17713 |
CVE-2017-18485 |
352 |
|
CSRF |
2019-08-08 |
2019-08-15 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Cognitoys Dino devices allow profiles_add.html CSRF. |
|
17714 |
CVE-2017-18484 |
79 |
|
XSS |
2019-08-08 |
2019-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cognitoys Dino devices allow XSS via the SSID. |
|
17715 |
CVE-2017-18483 |
79 |
|
XSS |
2019-08-07 |
2019-08-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ANNKE SP1 HD wireless camera 3.4.1.1604071109 devices allow XSS via a crafted SSID. |
|
17716 |
CVE-2017-18482 |
20 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_item API for queueing non-rearrange modules (SEC-213). |
|
17717 |
CVE-2017-18481 |
79 |
|
XSS |
2019-08-05 |
2019-08-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension List interface (SEC-211). |
|
17718 |
CVE-2017-18480 |
254 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
cPanel before 62.0.4 does not enforce account ownership for has_mycnf_for_cpuser WHM API calls (SEC-210). |
|
17719 |
CVE-2017-18479 |
295 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In cPanel before 62.0.4, WHM SSL certificate generation uses an unreserved e-mail address (SEC-209). |
|
17720 |
CVE-2017-18478 |
200 |
|
+Info |
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api for Rearrange Account actions (SEC-207). |
|
17721 |
CVE-2017-18477 |
254 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In cPanel before 62.0.4, Exim transports could execute in the context of the nobody account (SEC-206). |
|
17722 |
CVE-2017-18476 |
254 |
|
|
2019-08-05 |
2019-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Leech Protect in cPanel before 62.0.4 does not protect certain directories (SEC-205). |
|
17723 |
CVE-2017-18475 |
20 |
|
|
2019-08-05 |
2019-08-12 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
In cPanel before 62.0.4, Exim piped filters ran in the context of an incorrect user account when delivering to a system user (SEC-204). |
|
17724 |
CVE-2017-18474 |
200 |
|
+Info |
2019-08-05 |
2019-08-12 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
cPanel before 62.0.4 allows arbitrary file-read operations via Exim valiases (SEC-201). |
|
17725 |
CVE-2017-18473 |
79 |
|
XSS |
2019-08-05 |
2019-08-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
cPanel before 62.0.4 allows self XSS on the webmail Password and Security page (SEC-199). |
|
17726 |
CVE-2017-18472 |
79 |
|
XSS |
2019-08-05 |
2019-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.4 allows reflected XSS in reset-password interfaces (SEC-198). |
|
17727 |
CVE-2017-18471 |
79 |
|
XSS |
2019-08-05 |
2019-08-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
cPanel before 62.0.4 allows self XSS on the paper_lantern password-change screen (SEC-197). |
|
17728 |
CVE-2017-18470 |
255 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
cPanel before 62.0.4 has a fixed password for the Munin MySQL test account (SEC-196). |
|
17729 |
CVE-2017-18469 |
20 |
|
Exec Code |
2019-08-05 |
2019-08-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cPanel before 62.0.17 allows demo accounts to execute code via an NVData_fetchinc API call (SEC-233). |
|
17730 |
CVE-2017-18468 |
94 |
|
Exec Code |
2019-08-05 |
2019-08-12 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232). |
|
17731 |
CVE-2017-18467 |
254 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
cPanel before 62.0.17 allows access to restricted resources because of a URL filtering error (SEC-229). |
|
17732 |
CVE-2017-18466 |
20 |
|
|
2019-08-05 |
2019-08-12 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
cPanel before 62.0.17 does not properly recognize domain ownership during addition of parked domains to a mail configuration (SEC-228). |
|
17733 |
CVE-2017-18465 |
20 |
|
|
2019-08-05 |
2019-08-12 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.17 does not have a sufficient list of reserved usernames (SEC-227). |
|
17734 |
CVE-2017-18464 |
20 |
|
|
2019-08-05 |
2019-08-12 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
cPanel before 62.0.17 allows arbitrary file-overwrite operations via the WHM Zone Template editor (SEC-226). |
|
17735 |
CVE-2017-18462 |
254 |
|
Bypass |
2019-08-05 |
2019-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based protection is enabled (SEC-224). |
|
17736 |
CVE-2017-18461 |
20 |
|
|
2019-08-02 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.17 allows does not preserve security policy questions across an account rename (SEC-223). |
|
17737 |
CVE-2017-18458 |
20 |
|
|
2019-08-02 |
2019-08-06 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
cPanel before 62.0.17 allows file overwrite when renaming an account (SEC-219). |
|
17738 |
CVE-2017-18457 |
284 |
|
|
2019-08-02 |
2019-08-09 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
cPanel before 62.0.17 allows arbitrary file-read operations via WHM /styled/ URLs (SEC-218). |
|
17739 |
CVE-2017-18456 |
79 |
|
XSS |
2019-08-02 |
2019-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity interface (SEC-217). |
|
17740 |
CVE-2017-18455 |
264 |
|
|
2019-08-02 |
2019-08-08 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
In cPanel before 62.0.17, addon domain conversion did not require a package for resellers (SEC-208). |
|
17741 |
CVE-2017-18454 |
79 |
|
XSS |
2019-08-02 |
2019-08-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install interface (SEC-262). |
|
17742 |
CVE-2017-18453 |
20 |
|
|
2019-08-02 |
2019-08-05 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
cPanel before 64.0.21 does not preserve supplemental groups across account renames (SEC-260). |
|
17743 |
CVE-2017-18452 |
20 |
|
Exec Code |
2019-08-02 |
2019-08-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259). |
|
17744 |
CVE-2017-18451 |
264 |
|
|
2019-08-02 |
2019-08-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cPanel before 64.0.21 allows attackers to read a user's crontab file during a short time interval upon a cPAddon upgrade (SEC-257). |
|
17745 |
CVE-2017-18450 |
264 |
|
|
2019-08-02 |
2019-08-08 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
cPanel before 64.0.21 allows certain file-chmod operations via /scripts/convert_roundcube_mysql2sqlite (SEC-255). |
|
17746 |
CVE-2017-18449 |
20 |
|
|
2019-08-02 |
2019-08-08 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
cPanel before 64.0.21 allows certain file-rename operations in the context of the root account via scripts/convert_roundcube_mysql2sqlite (SEC-254). |
|
17747 |
CVE-2017-18448 |
22 |
|
Dir. Trav. |
2019-08-02 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cPanel before 64.0.21 allows certain file-read operations via a Serverinfo_manpage API call (SEC-252). |
|
17748 |
CVE-2017-18447 |
20 |
|
Exec Code |
2019-08-02 |
2019-08-08 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251). |
|
17749 |
CVE-2017-18446 |
125 |
|
|
2019-08-02 |
2019-08-14 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
cPanel before 64.0.21 allows file-read and file-write operations for demo accounts via the SourceIPCheck API (SEC-250). |
|
17750 |
CVE-2017-18445 |
254 |
|
|
2019-08-02 |
2019-08-08 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
cPanel before 64.0.21 does not enforce demo restrictions for SSL API calls (SEC-249). |
