CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2017-17588 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvshow.php s parameter, or show_misc_video.php id parameter.
302 CVE-2017-17587 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token parameter, buyleads-details.php id parameter, or company/index.php c parameter.
303 CVE-2017-17586 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter or the message.php pid parameter.
304 CVE-2017-17585 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id parameter.
305 CVE-2017-17584 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.php fl_orig or fl_dest parameter.
306 CVE-2017-17583 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords parameter.
307 CVE-2017-17582 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Grubhub Clone 1.0 has SQL Injection via the /food keywords parameter.
308 CVE-2017-17581 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid parameter.
309 CVE-2017-17580 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Linkedin Clone 1.0 has SQL Injection via the group.php grid parameter, profile.php fid parameter, or company_details.php id parameter.
310 CVE-2017-17579 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parameter.
311 CVE-2017-17578 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_details.php id parameter.
312 CVE-2017-17577 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Trademe Clone 1.0 has SQL Injection via the search_item.php search parameter or the general_item_details.php id parameter.
313 CVE-2017-17576 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat parameter, browse-scategory.php sc parameter, or service-provider.php ser parameter.
314 CVE-2017-17575 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Groupon Clone 1.0 has SQL Injection via the item_details.php id parameter or the vendor_details.php id parameter.
315 CVE-2017-17574 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or jobFrequency parameter.
316 CVE-2017-17573 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, or the search.php category_id or sub_category_id parameter.
317 CVE-2017-17572 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari.
318 CVE-2017-17571 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parameter.
319 CVE-2017-17570 89 Sql 2017-12-13 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.php id parameter, or the show-flight-result.php fl_orig or fl_dest parameter.
320 CVE-2017-17569 79 XSS 2017-12-13 2017-12-21
4.3
None Remote Medium Not required None Partial None
Scubez Posty Readymade Classifieds has XSS via the admin/user_activate_submit.php ID parameter.
321 CVE-2017-17568 732 +Info 2017-12-13 2019-10-02
5.0
None Remote Low Not required Partial None None
Scubez Posty Readymade Classifieds has Incorrect Access Control for visiting admin/user_activate_submit.php (aka the backend PHP script), which might allow remote attackers to obtain sensitive information via a direct request.
322 CVE-2017-17567 89 Sql 2017-12-13 2017-12-22
5.0
None Remote Low Not required Partial None None
Scubez Posty Readymade Classifieds has SQL Injection via the admin/user_activate_submit.php ID parameter.
323 CVE-2017-17566 DoS +Priv 2017-12-12 2019-10-02
6.9
None Local Medium Not required Complete Complete Complete
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page.
324 CVE-2017-17565 20 DoS 2017-12-12 2018-10-19
4.7
None Local Medium Not required None None Complete
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P.
325 CVE-2017-17564 388 DoS +Priv 2017-12-12 2018-10-19
6.9
None Local Medium Not required Complete Complete Complete
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode.
326 CVE-2017-17563 119 DoS Overflow +Priv 2017-12-12 2018-10-19
6.9
None Local Medium Not required Complete Complete Complete
An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode.
327 CVE-2017-17562 20 Exec Code 2017-12-12 2018-04-19
6.8
None Remote Medium Not required Partial Partial Partial
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
328 CVE-2017-17561 Exec Code 2017-12-12 2019-10-02
6.5
None Remote Low Single system Partial Partial Partial
SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/admin_ping.php, which interacts with data/admin/ping.php.
329 CVE-2017-17560 287 Exec Code 2017-12-12 2019-05-28
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
330 CVE-2017-17558 787 DoS 2017-12-12 2019-05-14
7.2
None Local Low Not required Complete Complete Complete
The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.
331 CVE-2017-17556 200 +Info 2017-12-15 2018-01-05
3.6
None Local Low Not required Partial Partial None
A debug tool in Synaptics TouchPad drivers allows local users with administrative access to obtain sensitive information about keyboard scan codes by modifying registry keys.
332 CVE-2017-17555 476 DoS 2017-12-11 2018-08-13
4.3
None Remote Medium Not required None None Partial
The swri_audio_convert function in audioconvert.c in FFmpeg libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file.
333 CVE-2017-17554 476 2017-12-11 2018-08-13
4.3
None Remote Medium Not required None None Partial
A NULL pointer dereference (DoS) Vulnerability was found in the function aubio_source_avcodec_readframe in io/source_avcodec.c of aubio 0.4.6, which may lead to DoS when playing a crafted audio file.
334 CVE-2017-17553 2017-12-11 2019-10-02
5.0
None Remote Low Not required Partial None None
The Dolphin Browser for Android 12.0.2 suffers from an insecure parsing implementation of the Intent URI scheme. This vulnerability could allow attackers to abuse this implementation through a malicious Intent URI, in order to invoke private Activities within the Dolphin Browser.
335 CVE-2017-17551 20 2017-12-11 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
The Backup and Restore feature in Mobotap Dolphin Browser for Android 12.0.2 suffers from an arbitrary file write vulnerability when attempting to restore browser settings from a malicious Dolphin Browser backup file. This arbitrary file write vulnerability allows an attacker to overwrite a specific executable in the Dolphin Browser's data directory with a crafted malicious executable. Every time the Dolphin Browser is launched, it will attempt to run the malicious executable from disk, thus executing the attacker's code.
336 CVE-2017-17549 200 +Info 2017-12-13 2018-01-05
4.3
None Remote Medium Not required Partial None None
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 allow remote attackers to obtain sensitive information from the backend client TLS handshake by leveraging use of TLS with Client Certificates and a Diffie-Hellman Ephemeral (DHE) key exchange.
337 CVE-2017-17538 DoS 2017-12-13 2019-10-02
7.8
None Remote Low Not required None None Complete
MikroTik v6.40.5 devices allow remote attackers to cause a denial of service via a flood of ICMP packets.
338 CVE-2017-17537 20 DoS 2017-12-13 2018-01-12
5.0
None Remote Low Not required None None Partial
MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated remote attacker to cause a denial of service by connecting to TCP port 53 and sending data that begins with many '\0' characters, possibly related to DNS.
339 CVE-2017-17536 Exec Code 2017-12-11 2019-10-02
6.8
None Remote Medium Not required Partial Partial Partial
Phabricator before 2017-11-10 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring.
340 CVE-2017-17535 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
341 CVE-2017-17534 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
uiutil.c in Mensis 0.0.080507 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17521.
342 CVE-2017-17533 74 2017-12-14 2018-01-03
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the attack cannot occur because of the argument-parsing behavior of the Tcl exec function.
343 CVE-2017-17532 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
344 CVE-2017-17531 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
345 CVE-2017-17530 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
346 CVE-2017-17529 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
347 CVE-2017-17528 74 2017-12-14 2017-12-29
6.8
None Remote Medium Not required Partial Partial Partial
backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
348 CVE-2017-17527 74 2017-12-14 2018-01-03
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer has indicated that the code referencing the BROWSER environment variable is never used.
349 CVE-2017-17526 74 2017-12-14 2017-12-28
6.8
None Remote Medium Not required Partial Partial Partial
Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
350 CVE-2017-17525 74 2017-12-14 2017-12-28
6.8
None Remote Medium Not required Partial Partial Partial
guiclient/guiclient.cpp in xTuple PostBooks 4.7.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
Total number of vulnerabilities : 1111   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.