CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1002100 2017-09-14 2017-09-14
0.0
None ??? ??? ??? ??? ??? ???
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
2 CVE-2017-1002024 2017-09-14 2017-09-14
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in web application Kind Editor v4.1.12, kindeditor/php/upload_json.php does not check authentication before allow users to upload files.
3 CVE-2017-1002016 2017-09-14 2017-09-14
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files.
4 CVE-2017-1002008 2017-09-14 2017-09-15
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges.
5 CVE-2017-1002003 2017-09-14 2017-09-15
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
6 CVE-2017-1002002 2017-09-14 2017-09-15
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
7 CVE-2017-1002001 2017-09-14 2017-09-15
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com.
8 CVE-2017-1002000 2017-09-14 2017-09-15
0.0
None ??? ??? ??? ??? ??? ???
Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content.
9 CVE-2017-1000251 Exec Code Overflow 2017-09-12 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 3.3-rc1 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.
10 CVE-2017-1000249 2017-09-11 2017-09-11
0.0
None ??? ??? ??? ??? ??? ???
An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
11 CVE-2017-14735 XSS 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
OWASP AntiSamy through 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
12 CVE-2017-14734 DoS Overflow 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
The build_msps function in libbpg.c in libbpg 0.9.7 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted BPG file, related to hevc_decode_init1.
13 CVE-2017-14733 DoS 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE headers that specify too few colors, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
14 CVE-2017-14731 DoS 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file, as demonstrated by an ofxdump call.
15 CVE-2017-14730 +Priv 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.
16 CVE-2017-14729 DoS Overflow 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, do not ensure a unique PLT entry for a symbol, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
17 CVE-2017-14727 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash via strftime date/time specifiers, because a buffer is not initialized.
18 CVE-2017-14726 XSS 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
19 CVE-2017-14725 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
20 CVE-2017-14724 XSS 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
21 CVE-2017-14723 Sql 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
22 CVE-2017-14722 Dir. Trav. 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.
23 CVE-2017-14721 XSS 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
24 CVE-2017-14720 XSS 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
25 CVE-2017-14719 Dir. Trav. 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
26 CVE-2017-14718 XSS 2017-09-23 2017-09-23
0.0
None ??? ??? ??? ??? ??? ???
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
27 CVE-2017-14717 XSS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Description parameter.
28 CVE-2017-14716 XSS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title parameter.
29 CVE-2017-14715 XSS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Title parameter.
30 CVE-2017-14714 XSS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subject parameter.
31 CVE-2017-14713 XSS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Description parameter.
32 CVE-2017-14712 XSS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall Notes Title parameter.
33 CVE-2017-14706 +Info 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
34 CVE-2017-14705 Exec Code 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webservices/stream/tail.php. An iToken authentication parameter is required but can be obtained by exploiting CVE-2017-14706. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
35 CVE-2017-14694 DoS Exec Code 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
Foxit Reader 8.3.2.25013 allows attackers to execute arbitrary code or cause a denial of service via a crafted .pdf file, related to "Data from Faulting Address controls Code Flow starting at tiptsf!CPenInputPanel::FinalRelease+0x000000000000002f."
36 CVE-2017-14693 DoS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
IrfanView 4.44 - 32bit allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .djvu file, related to "Data from Faulting Address controls Branch Selection starting at DJVU!GetPlugInInfo+0x000000000001c613."
37 CVE-2017-14692 DoS Exec Code 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause a denial of service via a crafted .jb2 file, related to a "User Mode Write AV starting at STDUJBIG2File!DllGetClassObject+0x000000000000653b."
38 CVE-2017-14691 DoS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
STDU Viewer 1.6.375 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .jb2 file, related to "Data from Faulting Address controls Branch Selection starting at ntdll_773a0000!RtlAddAccessAllowedAce+0x000000000000027a."
39 CVE-2017-14690 DoS Exec Code 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
STDU Viewer 1.6.375 allows attackers to execute arbitrary code or cause a denial of service via a crafted .jb2 file, related to "Data from Faulting Address controls subsequent Write Address starting at STDUJBIG2File!DllGetClassObject+0x00000000000064e7."
40 CVE-2017-14689 DoS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
STDU Viewer 1.6.375 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .djvu file, related to "Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at STDUDjVuFile!DllUnregisterServer+0x000000000000328e."
41 CVE-2017-14688 DoS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
STDU Viewer 1.6.375 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .djvu file, related to a "Read Access Violation starting at STDUDjVuFile!DllUnregisterServer+0x000000000000d917."
42 CVE-2017-14687 DoS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016cb4f" on Windows. This occurs because of mishandling of XML tag name comparisons.
43 CVE-2017-14686 DoS Exec Code 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause a denial of service via a crafted .xps file, related to a "User Mode Write AV near NULL starting at wow64!Wow64NotifyDebugger+0x000000000000001d" on Windows. This occurs because read_zip_dir_imp in fitz/unzip.c does not check whether size fields in a ZIP entry are negative numbers.
44 CVE-2017-14685 DoS 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
Artifex MuPDF 1.11 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .xps file, related to "Data from Faulting Address controls Branch Selection starting at mupdf+0x000000000016aa61" on Windows. This occurs because xps_load_links_in_glyphs in xps/xps-link.c does not verify that an xps font could be loaded.
45 CVE-2017-14684 DoS 2017-09-21 2017-09-21
0.0
None ??? ??? ??? ??? ??? ???
In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in the function ReadVIPSImage in coders/vips.c, which allows attackers to cause a denial of service (memory consumption in ResizeMagickMemory in MagickCore/memory.c) via a crafted file.
46 CVE-2017-14683 CSRF 2017-09-25 2017-09-25
0.0
None ??? ??? ??? ??? ??? ???
geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated by an unintended gem upload.
47 CVE-2017-14682 DoS Overflow 2017-09-21 2017-09-21
0.0
None ??? ??? ??? ??? ??? ???
GetNextToken in MagickCore/token.c in ImageMagick 7.0.6 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted SVG document, a different vulnerability than CVE-2017-10928.
48 CVE-2017-14681 Exec Code 2017-09-21 2017-09-21
0.0
None ??? ??? ??? ??? ??? ???
The daemon in P3Scan 3.0_rc1 and earlier creates a p3scan.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for p3scan.pid modification before a root script executes a "kill `cat /pathname/p3scan.pid`" command, as demonstrated by etc/init.d/p3scan.
49 CVE-2017-14680 2017-09-21 2017-09-21
0.0
None ??? ??? ??? ??? ??? ???
ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document.
50 CVE-2017-14653 2017-09-22 2017-09-22
0.0
None ??? ??? ??? ??? ??? ???
member/Orderinfo.asp in ASP4CMS AspCMS 2.7.2 allows remote authenticated users to read arbitrary order information via a modified OrderNo parameter.
Total number of vulnerabilities : 383   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.