The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2017-17957 | PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid parameter. | HIGH | Dec 28, 2017 |
CVE-2017-17956 | PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17955 | PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17954 | PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17953 | PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1 parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17952 | PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address. | MEDIUM | Dec 28, 2017 |
CVE-2017-17951 | PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter. | HIGH | Dec 28, 2017 |
CVE-2017-17950 | Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17949 | Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17948 | Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic request. | MEDIUM | Dec 28, 2017 |
CVE-2017-17947 | A cross site scripting issue has been found in custompage.cgi in Pulse Secure Pulse Connect Secure (PCS) before 8.0R17.0, 8.1.x before 8.1R13, 8.2.x before 8.2R9, and 8.3.x before 8.3R3 and Pulse Policy Secure (PPS) before 5.2R10, 5.3.x before 5.3R9, and 5.4.x before 5.4R3 due to one of the URL parameters not being sanitized. Exploitation does require the user to be logged in as administrator; the issue is not applicable to the end user portal. | LOW | Jan 16, 2018 |
CVE-2017-17946 | A buffer overflow in Handy Password 4.9.3 allows remote attackers to execute arbitrary code via a long Title name field in mail box data that is mishandled in an Open from mail box action. | HIGH | Jan 10, 2018 |
CVE-2017-17945 | The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation. | MEDIUM | Jul 3, 2019 |
CVE-2017-17944 | The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation. | MEDIUM | Jun 21, 2019 |
CVE-2017-17942 | In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c. | MEDIUM | Dec 28, 2017 |
CVE-2017-17941 | PHP Scripts Mall Single Theater Booking has SQL Injection via the admin/movieview.php movieid parameter. | MEDIUM | Dec 28, 2017 |
CVE-2017-17940 | PHP Scripts Mall Single Theater Booking has XSS via the title parameter to admin/sitesettings.php. | LOW | Dec 28, 2017 |
CVE-2017-17939 | PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesettings.php. | MEDIUM | Dec 28, 2017 |
CVE-2017-17938 | PHP Scripts Mall Single Theater Booking has XSS via the admin/viewtheatre.php theatreid parameter. | LOW | Dec 28, 2017 |
CVE-2017-17937 | Vanguard Marketplace Digital Products PHP has XSS via the phps_query parameter to /search. | MEDIUM | Dec 28, 2017 |
CVE-2017-17936 | Vanguard Marketplace Digital Products PHP has CSRF via /search. | MEDIUM | Dec 28, 2017 |
CVE-2017-17935 | The File_read_line function in epan/wslua/wslua_file.c in Wireshark through 2.2.11 does not properly strip \'\\n\' characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet that triggers the attempted processing of an empty line. | MEDIUM | Dec 27, 2017 |
CVE-2017-17934 | ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, related to MSLPopImage and ProcessMSLScript, and associated with mishandling of MSLPushImage calls. | MEDIUM | Dec 27, 2017 |
CVE-2017-17933 | cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or 9021) in NetWin SurgeFTP version 23f2 has XSS via the classid, domainid, or username parameter. | MEDIUM | Dec 29, 2017 |
CVE-2017-17932 | A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 888. | HIGH | Dec 28, 2017 |
CVE-2017-17931 | PHP Scripts Mall Resume Clone Script has SQL Injection via the forget.php username parameter. | HIGH | Dec 27, 2017 |
CVE-2017-17930 | PHP Scripts Mall Professional Service Script has CSRF via admin/general_settingupd.php, as demonstrated by modifying a setting in the user panel. | MEDIUM | Dec 27, 2017 |
CVE-2017-17929 | PHP Scripts Mall Professional Service Script has XSS via the admin/bannerview.php view parameter. | LOW | Dec 27, 2017 |
CVE-2017-17928 | PHP Scripts Mall Professional Service Script has SQL injection via the admin/review.php id parameter. | HIGH | Dec 27, 2017 |
CVE-2017-17927 | PHP Scripts Mall Professional Service Script allows remote attackers to obtain sensitive full-path information via a crafted PATH_INFO to service-list/category/. | MEDIUM | Dec 27, 2017 |
CVE-2017-17926 | PHP Scripts Mall Professional Service Script has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address. | MEDIUM | Dec 27, 2017 |
CVE-2017-17925 | PHP Scripts Mall Professional Service Script has XSS via the admin/general_settingupd.php website_title parameter. | LOW | Dec 27, 2017 |
CVE-2017-17924 | PHP Scripts Mall Professional Service Script allows remote attackers to obtain sensitive full-path information via the id parameter to admin/review_userwise.php. | MEDIUM | Dec 27, 2017 |
CVE-2017-17920 | ** DISPUTED ** SQL injection vulnerability in the \'reorder\' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \'name\' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. | MEDIUM | Jan 10, 2018 |
CVE-2017-17919 | ** DISPUTED ** SQL injection vulnerability in the \'order\' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \'id desc\' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. | MEDIUM | Jan 10, 2018 |
CVE-2017-17917 | ** DISPUTED ** SQL injection vulnerability in the \'where\' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \'id\' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. | MEDIUM | Jan 10, 2018 |
CVE-2017-17916 | ** DISPUTED ** SQL injection vulnerability in the \'find_by\' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the \'name\' parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input. | MEDIUM | Jan 10, 2018 |
CVE-2017-17915 | In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadMNGImage in coders/png.c, related to accessing one byte before testing whether a limit has been reached. | MEDIUM | Dec 27, 2017 |
CVE-2017-17914 | In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service (ReadOneMNGImage large loop) via a crafted mng image file. | HIGH | Dec 27, 2017 |
CVE-2017-17913 | In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to an incompatibility with libwebp versions, 0.5.0 and later, that use a different structure type. | MEDIUM | Dec 27, 2017 |
CVE-2017-17912 | In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region. | MEDIUM | Dec 27, 2017 |
CVE-2017-17911 | packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer parameter in an index.php?p=core/contact request, aka Open Bug Bounty ID OBB-278503. | MEDIUM | Dec 27, 2017 |
CVE-2017-17910 | On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. An attacker can intercept an arbitrary radio frame exchanged between a BiSecur transmitter and a receiver to obtain the encrypted packet and the 32-bit serial number. The interception of the one-time pairing process is specifically not required. Due to use of AES-128 with an initial static random value and static data vector (all of this static information is the same across different customers' installations), the attacker can easily derive the utilized encryption key and decrypt the intercepted packet. The key can be verified by decrypting the intercepted packet and checking for known plaintext. Subsequently, an attacker can create arbitrary radio frames with the correct encryption key to control BiSecur garage and entrance gate operators and possibly other BiSecur systems as well (wireless cloning). To conduct the attack, a low cost Software Defined Radio (SDR) is sufficient. This affects Hoermann Hand Transmitter HS5-868-BS, HSE1-868-BS, and HSE2-868-BS devices. | LOW | Dec 29, 2017 |
CVE-2017-17909 | PHP Scripts Mall Responsive Realestate Script has XSS via the admin/general.php gplus parameter. | LOW | Dec 27, 2017 |
CVE-2017-17908 | PHP Scripts Mall Responsive Realestate Script has CSRF via admin/general. | MEDIUM | Dec 27, 2017 |
CVE-2017-17907 | PHP Scripts Mall Car Rental Script has XSS via the admin/areaedit.php carid parameter or the admin/sitesettings.php websitename parameter. | MEDIUM | Dec 27, 2017 |
CVE-2017-17906 | PHP Scripts Mall Car Rental Script has SQL Injection via the admin/carlistedit.php carid parameter. | HIGH | Dec 27, 2017 |
CVE-2017-17905 | PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php. | MEDIUM | Dec 27, 2017 |
CVE-2017-17904 | FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the edit_profile_first_name parameter to user/edit_profile. | LOW | Dec 27, 2017 |
CVE-2017-17903 | FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by adding content to the user panel. | MEDIUM | Dec 27, 2017 |