| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2017-7374 |
476 |
|
DoS +Priv |
2017-03-31 |
2023-02-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in fs/crypto/ in the Linux kernel before 4.10.7 allows local users to cause a denial of service (NULL pointer dereference) or possibly gain privileges by revoking keyring keys being used for ext4, f2fs, or ubifs encryption, causing cryptographic transform objects to be freed prematurely. |
|
2 |
CVE-2017-7363 |
79 |
|
XSS |
2017-03-31 |
2021-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pixie 1.0.4 allows an admin/index.php s=publish&m=module&x= XSS attack. |
|
3 |
CVE-2017-7362 |
79 |
|
XSS |
2017-03-31 |
2021-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pixie 1.0.4 allows an admin/index.php s=publish&m=dynamic&x= XSS attack. |
|
4 |
CVE-2017-7361 |
79 |
|
XSS |
2017-03-31 |
2021-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pixie 1.0.4 allows an admin/index.php s=publish&m=static&x= XSS attack. |
|
5 |
CVE-2017-7360 |
79 |
|
XSS |
2017-03-31 |
2021-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pixie 1.0.4 allows an admin/index.php s=settings&x= XSS attack. |
|
6 |
CVE-2017-7359 |
79 |
|
XSS |
2017-03-31 |
2021-03-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack. |
|
7 |
CVE-2017-7346 |
20 |
|
DoS |
2017-03-30 |
2017-11-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does not validate certain levels data, which allows local users to cause a denial of service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device. |
|
8 |
CVE-2017-7324 |
94 |
|
Exec Code |
2017-03-30 |
2020-01-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. |
|
9 |
CVE-2017-7323 |
|
|
Exec Code |
2017-03-30 |
2020-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism. |
|
10 |
CVE-2017-7322 |
295 |
|
Exec Code |
2017-03-30 |
2020-01-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate. |
|
11 |
CVE-2017-7321 |
94 |
|
Exec Code |
2017-03-30 |
2020-01-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. |
|
12 |
CVE-2017-7320 |
79 |
|
DoS XSS Http R.Spl. |
2017-03-30 |
2020-01-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. |
|
13 |
CVE-2017-7318 |
|
|
Exec Code |
2017-03-30 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Siklu EtherHaul devices before 7.4.0 are vulnerable to a remote command execution (RCE) vulnerability. This vulnerability allows a remote attacker to execute commands and retrieve information such as usernames and plaintext passwords from the device with no authentication. |
|
14 |
CVE-2017-7310 |
119 |
|
Exec Code Overflow |
2017-03-29 |
2018-03-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A buffer overflow vulnerability in Import Command in SyncBreeze before 10.6, DiskSorter before 10.6, DiskBoss before 8.9, DiskPulse before 10.6, DiskSavvy before 10.6, DupScout before 10.6, and VX Search before 10.6 allows attackers to execute arbitrary code via a crafted XML file containing a long name attribute of a classify element. |
|
15 |
CVE-2017-7309 |
79 |
|
XSS |
2017-03-31 |
2017-07-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted 'config_option' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3. |
|
16 |
CVE-2017-7308 |
787 |
|
DoS +Priv |
2017-03-29 |
2023-02-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls. |
|
17 |
CVE-2017-7304 |
125 |
|
|
2017-03-29 |
2017-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 8) because of missing a check (in the copy_special_section_fields function) for an invalid sh_link field before attempting to follow it. This vulnerability causes Binutils utilities like strip to crash. |
|
18 |
CVE-2017-7303 |
125 |
|
|
2017-03-29 |
2017-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to an invalid read (of size 4) because of missing a check (in the find_link function) for null headers before attempting to match them. This vulnerability causes Binutils utilities like strip to crash. |
|
19 |
CVE-2017-7302 |
125 |
|
|
2017-03-29 |
2017-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a swap_std_reloc_out function in bfd/aoutx.h that is vulnerable to an invalid read (of size 4) because of missing checks for relocs that could not be recognised. This vulnerability causes Binutils utilities like strip to crash. |
|
20 |
CVE-2017-7301 |
20 |
|
|
2017-03-29 |
2017-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that has an off-by-one vulnerability because it does not carefully check the string offset. The vulnerability could lead to a GNU linker (ld) program crash. |
|
21 |
CVE-2017-7300 |
125 |
|
|
2017-03-29 |
2017-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an aout_link_add_symbols function in bfd/aoutx.h that is vulnerable to a heap-based buffer over-read (off-by-one) because of an incomplete check for invalid string offsets while loading symbols, leading to a GNU linker (ld) program crash. |
|
22 |
CVE-2017-7299 |
125 |
|
|
2017-03-29 |
2017-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has an invalid read (of size 8) because the code to emit relocs (bfd_elf_final_link function in bfd/elflink.c) does not check the format of the input file before trying to read the ELF reloc section header. The vulnerability leads to a GNU linker (ld) program crash. |
|
23 |
CVE-2017-7298 |
79 |
|
XSS |
2017-03-29 |
2018-05-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Add a new course" page, as demonstrated by a crafted attribute of an SVG element. |
|
24 |
CVE-2017-7297 |
|
|
|
2017-03-29 |
2022-04-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated users disabling access control via an API call. This is fixed in versions rancher/server:v1.2.4, rancher/server:v1.3.5, rancher/server:v1.4.3, and rancher/server:v1.5.3. |
|
25 |
CVE-2017-7294 |
787 |
|
DoS Overflow +Priv |
2017-03-29 |
2023-02-10 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data, which allows local users to trigger an integer overflow and out-of-bounds write, and cause a denial of service (system hang or crash) or possibly gain privileges, via a crafted ioctl call for a /dev/dri/renderD* device. |
|
26 |
CVE-2017-7290 |
89 |
|
Exec Code Sql |
2017-03-30 |
2017-04-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before 2.5.8.1 allows remote authenticated administrators to execute arbitrary SQL commands via the url parameter to findusers.php. An example attack uses "into outfile" to create a backdoor program. |
|
27 |
CVE-2017-7285 |
400 |
|
|
2017-03-29 |
2017-04-10 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of TCP RST packets, preventing the affected router from accepting new TCP connections. |
|
28 |
CVE-2017-7277 |
125 |
|
DoS +Info |
2017-03-28 |
2017-03-31 |
6.6 |
None |
Local |
Low |
Not required |
Complete |
None |
Complete |
|
The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c. |
|
29 |
CVE-2017-7275 |
119 |
|
DoS Overflow |
2017-03-27 |
2017-03-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows remote attackers to cause a denial of service (attempted large memory allocation and application crash) via a crafted file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862 and CVE-2016-8866. |
|
30 |
CVE-2017-7274 |
476 |
|
DoS |
2017-03-27 |
2017-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PE file. |
|
31 |
CVE-2017-7273 |
|
|
DoS |
2017-03-27 |
2021-01-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux kernel 3.2 and 4.x before 4.9.4 allows physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report. |
|
32 |
CVE-2017-7272 |
918 |
|
|
2017-03-27 |
2018-02-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function. |
|
33 |
CVE-2017-7271 |
79 |
|
XSS |
2017-03-27 |
2017-05-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Reflected Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.11, when development mode is used, allows remote attackers to inject arbitrary web script or HTML via crafted request data that is mishandled on the debug-mode exception screen. |
|
34 |
CVE-2017-7269 |
119 |
|
Exec Code Overflow |
2017-03-27 |
2019-07-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016. |
|
35 |
CVE-2017-7266 |
601 |
|
|
2017-03-26 |
2017-03-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header. |
|
36 |
CVE-2017-7264 |
416 |
|
DoS |
2017-03-26 |
2017-03-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in the fz_subsample_pixmap function in fitz/pixmap.c in Artifex Software, Inc. MuPDF 1.10a allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted document. |
|
37 |
CVE-2017-7263 |
125 |
|
DoS |
2017-03-26 |
2017-03-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8698. |
|
38 |
CVE-2017-7262 |
20 |
|
DoS |
2017-03-25 |
2017-03-29 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows local users to cause a denial of service (system hang) via an application that makes a long series of FMA3 instructions, as demonstrated by the Flops test suite. |
|
39 |
CVE-2017-7261 |
20 |
|
DoS |
2017-03-24 |
2017-03-29 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device. |
|
40 |
CVE-2017-7258 |
22 |
|
Exec Code Dir. Trav. |
2017-03-29 |
2017-04-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
HTTP Exploit in eMLi Portal in AuroMeera Technometrix Pvt. Ltd. eMLi allows an Attacker to View Restricted Information or (even more seriously) execute powerful commands on the web server which can lead to a full compromise of the system via Directory Path Traversal, as demonstrated by reading core-emli/Storage. The affected versions are eMLi School Management 1.0, eMLi College Campus Management 1.0, and eMLi University Management 1.0. |
|
41 |
CVE-2017-7257 |
79 |
|
XSS |
2017-03-24 |
2017-03-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_content parameter. Someone must login to conduct the attack. |
|
42 |
CVE-2017-7256 |
79 |
|
XSS |
2017-03-24 |
2017-03-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_summary parameter. Someone must login to conduct the attack. |
|
43 |
CVE-2017-7255 |
79 |
|
XSS |
2017-03-24 |
2017-04-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News-->Add Article" feature via the m1_title parameter. Someone must login to conduct the attack. |
|
44 |
CVE-2017-7253 |
922 |
|
|
2017-03-30 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: 1. Use the default low-privilege credentials to list all users via a request to a certain URI. 2. Login to the IP camera with admin credentials so as to obtain full control of the target IP camera. During exploitation, the first JSON object encountered has a "Component error: login challenge!" message. The second JSON object encountered has a result indicating a successful admin login. |
|
45 |
CVE-2017-7251 |
79 |
|
Exec Code XSS |
2017-03-23 |
2021-08-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A Cross-Site Scripting (XSS) was discovered in pi-engine/pi 2.5.0. The vulnerability exists due to insufficient filtration of user-supplied data (preview) passed to the "pi-develop/www/script/editor/markitup/preview/markdown.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
46 |
CVE-2017-7250 |
79 |
|
Exec Code XSS |
2017-03-23 |
2017-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03-19. The vulnerability exists due to insufficient filtration of user-supplied data (action) passed to the 'Gazelle-master/sections/tools/finances/bitcoin_balance.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
47 |
CVE-2017-7249 |
79 |
|
Exec Code XSS |
2017-03-23 |
2017-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before 2017-03-19. The vulnerabilities exist due to insufficient filtration of user-supplied data (action, userid) passed to the 'Gazelle-master/sections/tools/data/ocelot_info.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
48 |
CVE-2017-7248 |
79 |
|
Exec Code XSS |
2017-03-23 |
2017-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03-19. The vulnerability exists due to insufficient filtration of user-supplied data (type) passed to the 'Gazelle-master/sections/better/transcode.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
49 |
CVE-2017-7247 |
79 |
|
Exec Code XSS |
2017-03-23 |
2017-03-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before 2017-03-19. The vulnerabilities exist due to insufficient filtration of user-supplied data (torrents, size) passed to the 'Gazelle-master/sections/tools/managers/multiple_freeleech.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
|
50 |
CVE-2017-7246 |
119 |
|
DoS Overflow |
2017-03-23 |
2018-08-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. |
