CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-1000358 399 2017-04-24 2017-04-27
4.0
None Remote Low Single system None None Partial
Controller throws an exception and does not allow user to add subsequent flow for a particular switch. Component: OpenDaylight odl-restconf feature contains this flaw. Version: OpenDaylight 4.0 is affected by this flaw.
2 CVE-2017-9616 399 2017-06-14 2017-06-19
4.3
None Remote Medium Not required None None Partial
In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the dissect_mp4_box function in epan/dissectors/file-mp4.c.
3 CVE-2017-9523 79 XSS 2017-06-08 2017-06-14
4.3
None Remote Medium Not required None Partial None
The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page, aka NSWA-1342.
4 CVE-2017-9520 416 DoS 2017-06-08 2017-06-15
4.3
None Remote Medium Not required None None Partial
The r_config_set function in libr/config/config.c in radare2 1.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted DEX file.
5 CVE-2017-9501 20 DoS 2017-06-07 2017-06-12
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file.
6 CVE-2017-9500 20 DoS 2017-06-07 2017-06-12
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-8 Q16, an assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file.
7 CVE-2017-9499 20 DoS 2017-06-07 2017-06-12
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function SetPixelChannelAttributes, which allows attackers to cause a denial of service via a crafted file.
8 CVE-2017-9474 119 DoS Overflow 2017-06-07 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the DecompressRTF function in lib/ytnef.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
9 CVE-2017-9473 399 DoS 2017-06-07 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the TNEFFillMapi function in lib/ytnef.c allows remote attackers to cause a denial of service (memory consumption) via a crafted file.
10 CVE-2017-9472 119 DoS Overflow 2017-06-07 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the SwapDWord function in lib/ytnef.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
11 CVE-2017-9471 119 DoS Overflow 2017-06-07 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the SwapWord function in lib/ytnef.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
12 CVE-2017-9470 476 DoS 2017-06-07 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the MAPIPrint function in lib/ytnef.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.
13 CVE-2017-9463 89 Sql +Info 2017-06-14 2017-06-19
4.0
None Remote Low Single system Partial None None
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
14 CVE-2017-9451 79 XSS 2017-06-06 2017-06-13
4.3
None Remote Medium Not required None Partial None
Cross site scripting (XSS) vulnerability in pages.edit_form.php in flatCore 1.4.6 allows remote attackers to inject arbitrary JavaScript via the PATH_INFO in an acp.php URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs.
15 CVE-2017-9440 119 DoS Overflow 2017-06-05 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file.
16 CVE-2017-9439 119 DoS Overflow 2017-06-05 2017-06-09
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file.
17 CVE-2017-9420 79 XSS 2017-06-05 2017-06-12
4.3
None Remote Medium Not required None Partial None
Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter.
18 CVE-2017-9416 22 Dir. Trav. 2017-06-04 2017-06-08
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service.
19 CVE-2017-9409 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file.
20 CVE-2017-9408 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In Poppler 0.54.0, a memory leak vulnerability was found in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file.
21 CVE-2017-9407 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows attackers to cause a denial of service (memory leak) via a crafted file.
22 CVE-2017-9406 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In Poppler 0.54.0, a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file.
23 CVE-2017-9405 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allows attackers to cause a denial of service (memory leak) via a crafted file.
24 CVE-2017-9404 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file.
25 CVE-2017-9403 119 DoS Overflow 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None None Partial
In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a denial of service via a crafted file.
26 CVE-2017-9378 284 2017-06-02 2017-06-06
4.0
None Remote Low Single system None Partial None
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted.
27 CVE-2017-9361 79 XSS 2017-06-02 2017-06-06
4.3
None Remote Medium Not required None Partial None
WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/details.php.
28 CVE-2017-9355 918 2017-06-07 2017-06-16
4.3
None Remote Medium Not required None Partial None
XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted XSPF playlist file.
29 CVE-2017-9337 79 XSS 2017-06-01 2017-06-09
4.3
None Remote Medium Not required None Partial None
The Markdown on Save Improved plugin 2.5 for WordPress has a stored XSS vulnerability in the content of a post.
30 CVE-2017-9336 79 XSS 2017-06-01 2017-06-09
4.3
None Remote Medium Not required None Partial None
The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerability in the content of a post.
31 CVE-2017-9332 79 XSS 2017-06-06 2017-06-14
4.3
None Remote Medium Not required None Partial None
The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 mishandles the URI, allowing XSS via vectors involving quotes in the self Smarty tag.
32 CVE-2017-9307 918 2017-05-31 2017-06-09
4.0
None Remote Low Single system Partial None None
SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter.
33 CVE-2017-9306 79 XSS Bypass 2017-05-31 2017-06-09
4.3
None Remote Medium Not required None Partial None
inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to bypass the XSS filter, as demonstrated by use of an "<svg/onload=" substring instead of an "<svg onload=" substring.
34 CVE-2017-9305 79 XSS Bypass 2017-05-31 2017-06-08
4.3
None Remote Medium Not required None Partial None
lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php.
35 CVE-2017-9302 369 DoS 2017-05-29 2017-06-08
4.3
None Remote Medium Not required None None Partial
RealPlayer 16.0.2.32 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mp4 file.
36 CVE-2017-9299 79 XSS 2017-05-29 2017-06-07
4.3
None Remote Medium Not required None Partial None
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks.
37 CVE-2017-9295 611 2017-05-29 2017-06-08
4.0
None Remote Low Single system Partial None None
XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files.
38 CVE-2017-9292 79 XSS 2017-05-29 2017-06-08
4.3
None Remote Medium Not required None Partial None
Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug 542782.
39 CVE-2017-9289 79 XSS 2017-05-29 2017-06-08
4.3
None Remote Medium Not required None Partial None
Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS in note-source\ui\editor.php (edit parameter).
40 CVE-2017-9288 79 XSS 2017-05-29 2017-06-08
4.3
None Remote Medium Not required None Partial None
The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter).
41 CVE-2017-9287 415 2017-05-29 2017-06-08
4.0
None Remote Low Single system None None Partial
servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0.
42 CVE-2017-9262 119 DoS Overflow 2017-05-29 2017-06-05
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
43 CVE-2017-9261 119 DoS Overflow 2017-05-29 2017-06-05
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c allows attackers to cause a denial of service (memory leak) via a crafted file.
44 CVE-2017-9252 79 XSS 2017-05-28 2017-06-08
4.3
None Remote Medium Not required None Partial None
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the search page via the text-search parameter to index.php in a route=search action.
45 CVE-2017-9251 79 XSS 2017-05-28 2017-06-08
4.3
None Remote Medium Not required None Partial None
andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in the sitename parameter to admin.php.
46 CVE-2017-9243 79 XSS 2017-05-28 2017-06-07
4.3
None Remote Medium Not required None Partial None
Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 has XSS on the Wireless Site Survey page, exploitable with the name of an access point.
47 CVE-2017-9242 20 DoS 2017-05-26 2017-05-31
4.9
None Local Low Not required None None Complete
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
48 CVE-2017-9239 369 2017-05-26 2017-06-08
4.3
None Remote Medium Not required None None Partial
An issue was discovered in Exiv2 0.26. When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue() is 0x0. TiffImageEntry::doWriteImage will use the value of pValue() to cause a segmentation fault. To exploit this vulnerability, someone must open a crafted tiff file.
49 CVE-2017-9216 476 2017-05-24 2017-06-06
4.3
None Remote Medium Not required None None Partial
libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript, has a NULL pointer dereference in the jbig2_huffman_get function in jbig2_huffman.c. For example, the jbig2dec utility will crash (segmentation fault) when parsing an invalid file.
50 CVE-2017-9211 476 DoS 2017-05-23 2017-06-08
4.9
None Local Low Not required None None Complete
The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linux kernel through 4.11.2 relies on a setkey function that lacks a key-size check, which allows local users to cause a denial of service (NULL pointer dereference) via a crafted application.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.