Export limit exceeded: 325300 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 325300 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9566 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-16349 | 1 Sap | 1 Business Planning And Consolidation | 2024-11-21 | 8.1 High |
| An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability. | ||||
| CVE-2017-16224 | 1 St Project | 1 St | 2024-11-21 | N/A |
| st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e"). | ||||
| CVE-2017-16088 | 1 Safe-eval Project | 1 Safe-eval | 2024-11-21 | N/A |
| The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. | ||||
| CVE-2017-15725 | 1 Devada | 1 Dzone Answerhub | 2024-11-21 | 7.5 High |
| An XML External Entity Injection vulnerability exists in Dzone AnswerHub. | ||||
| CVE-2017-15691 | 2 Apache, Redhat | 5 Uima-as, Uimaducc, Uimafit and 2 more | 2024-11-21 | N/A |
| In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content. | ||||
| CVE-2017-15653 | 1 Asus | 1 Asuswrt | 2024-11-21 | N/A |
| Improper administrator IP validation after his login in the HTTPd server in all current versions (<= 3.0.0.4.380.7743) of Asus asuswrt allows an unauthorized user to execute any action knowing administrator session token by using a specific User-Agent string. | ||||
| CVE-2017-15419 | 3 Debian, Google, Redhat | 6 Debian Linux, Chrome, Enterprise Linux Desktop and 3 more | 2024-11-21 | N/A |
| Insufficient policy enforcement in Resource Timing API in Google Chrome prior to 63.0.3239.84 allowed a remote attacker to infer browsing history by triggering a leaked cross-origin URL via a crafted HTML page. | ||||
| CVE-2017-15393 | 3 Debian, Google, Redhat | 3 Debian Linux, Chrome, Rhel Extras | 2024-11-21 | N/A |
| Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page, aka a Referer leak. | ||||
| CVE-2017-14802 | 1 Netiq | 1 Access Manager | 2024-11-21 | N/A |
| Novell Access Manager Admin Console and IDP servers before 4.3.3 have a URL that could be used by remote attackers to trigger unvalidated redirects to third party sites. | ||||
| CVE-2017-14798 | 2 Postgresql, Suse | 2 Postgresql, Suse Linux Enterprise Server | 2024-11-21 | N/A |
| A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root. | ||||
| CVE-2017-14699 | 1 Asus | 32 Dsl-ac51, Dsl-ac51 Firmware, Dsl-ac52u and 29 more | 2024-11-21 | N/A |
| Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote authenticated users to read arbitrary files via a crafted DTD in (1) an UPDATEACCOUNT or (2) a PROPFIND request. | ||||
| CVE-2017-14394 | 1 Forgerock | 2 Access Management, Openam | 2024-11-21 | N/A |
| OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect. | ||||
| CVE-2017-13288 | 1 Google | 1 Android | 2024-11-21 | N/A |
| In writeToParcel and readFromParcel of PeriodicAdvertisingReport.java, there is a permission bypass due to a 64/32bit int mismatch. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69634768. | ||||
| CVE-2017-12576 | 1 Planex | 2 Cs-qr20, Cs-qr20 Firmware | 2024-11-21 | N/A |
| An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undocumented management page allows an attacker to execute arbitrary code on the device when the user is authenticated. The management page was used for debugging purposes, once you login and access the page directly (/admin/system_command.asp), you can execute any command. | ||||
| CVE-2017-12191 | 1 Redhat | 2 Cloudforms, Cloudforms Managementengine | 2024-11-21 | N/A |
| A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to. | ||||
| CVE-2017-12164 | 1 Gnome | 1 Gnome Display Manager | 2024-11-21 | N/A |
| A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen. | ||||
| CVE-2017-12161 | 1 Keycloak | 1 Keycloak | 2024-11-21 | N/A |
| It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks. | ||||
| CVE-2017-1000498 | 1 Androidsvg Project | 1 Androidsvg | 2024-11-21 | 7.8 High |
| AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution | ||||
| CVE-2017-1000497 | 1 Pepperminty-wiki Project | 1 Pepperminty-wiki | 2024-11-21 | 9.8 Critical |
| Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution | ||||
| CVE-2017-1000496 | 1 Commsy | 1 Commsy | 2024-11-21 | N/A |
| Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code. | ||||