The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2017-16013 | hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached. | MEDIUM | Jun 4, 2018 |
CVE-2017-16012 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-9251. Reason: This candidate is a duplicate of CVE-2015-9251. Notes: All CVE users should reference CVE-2015-9251 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Jun 4, 2018 |
CVE-2017-16011 | ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6708. Reason: This candidate is a duplicate of CVE-2012-6708. Notes: All CVE users should reference CVE-2012-6708 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Jun 4, 2018 |
CVE-2017-16010 | i18next is a language translation framework. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not. This vulnerability affects i18next 2.0.0 and later. | MEDIUM | May 29, 2018 |
CVE-2017-16009 | ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid. | MEDIUM | Jun 4, 2018 |
CVE-2017-16008 | i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser. This affects i18next <=1.10.2. | MEDIUM | Jun 4, 2018 |
CVE-2017-16007 | node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. | MEDIUM | Jun 4, 2018 |
CVE-2017-16006 | Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkable allows the use of `data:` URIs in links and can therefore execute javascript. | MEDIUM | Jun 4, 2018 |
CVE-2017-16005 | Http-signature is a Reference implementation of Joyent's HTTP Signature Scheme. In versions <=0.9.11, http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature. | MEDIUM | Jun 4, 2018 |
CVE-2017-16003 | windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server. | HIGH | May 29, 2018 |
CVE-2017-16001 | In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) 5.0.1, a local attacker or malware can silently subvert the plugin update process in order to escalate to root privileges. | HIGH | Nov 6, 2017 |
CVE-2017-16000 | SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php. | MEDIUM | Oct 29, 2017 |
CVE-2017-15999 | In the NQ Contacts Backup & Restore application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required. | MEDIUM | Oct 29, 2017 |
CVE-2017-15998 | In the NQ Contacts Backup & Restore application 1.1 for Android, DES encryption with a static key is used to secure transmitted contact data. This makes it easier for remote attackers to obtain cleartext information by sniffing the network. | MEDIUM | Oct 29, 2017 |
CVE-2017-15997 | In the NQ Contacts Backup & Restore application 1.1 for Android, RC4 encryption is used to secure the user password locally stored in shared preferences. Because there is a static RC4 key, an attacker can gain access to user credentials more easily by leveraging access to the preferences XML file. | LOW | Oct 29, 2017 |
CVE-2017-15996 | elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to cause a denial of service (excessive memory allocation) or possibly have unspecified other impact via a crafted ELF file that triggers a buffer overflow on fuzzed archive header, related to an uninitialized variable, an improper conditional jump, and the get_archive_member_name, process_archive_index_and_symbols, and setup_archive functions. | MEDIUM | Nov 1, 2017 |
CVE-2017-15994 | rsync 3.1.3-development before 2017-10-24, as used in the xlucas svfs rsync fork and other products, mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. | HIGH | Oct 29, 2017 |
CVE-2017-15993 | Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15992 | Website Broker Script allows SQL Injection via the 'status_id' Parameter to status_list.php. | HIGH | Oct 31, 2017 |
CVE-2017-15991 | Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injection in searchCommercial.php via the property_type, city, or posted_by parameter, or searchResidential.php via the property_type, city, or bedroom parameter, a different vulnerability than CVE-2008-3951, CVE-2009-3497, and CVE-2012-0982. | HIGH | Oct 31, 2017 |
CVE-2017-15990 | Php Inventory & Invoice Management System allows Arbitrary File Upload via dashboard/edit_myaccountdetail/. | HIGH | Oct 31, 2017 |
CVE-2017-15989 | Online Exam Test Application allows SQL Injection via the resources.php sort parameter in a category action. | HIGH | Oct 31, 2017 |
CVE-2017-15988 | Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme parameter, a different vulnerability than CVE-2008-6525. | HIGH | Oct 31, 2017 |
CVE-2017-15987 | Fake Magazine Cover Script allows SQL Injection via the rate.php value parameter or the content.php id parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15986 | CPA Lead Reward Script allows SQL Injection via the username parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15985 | Basic B2B Script allows SQL Injection via the product_view1.php pid or id parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15984 | Creative Management System (CMS) Lite 1.4 allows SQL Injection via the S parameter to index.php. | HIGH | Oct 31, 2017 |
CVE-2017-15983 | MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | HIGH | Oct 31, 2017 |
CVE-2017-15982 | Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | HIGH | Oct 31, 2017 |
CVE-2017-15981 | Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection via the id parameter to admin/admin_process.php for form editing. | HIGH | Oct 31, 2017 |
CVE-2017-15980 | US Zip Codes Database Script 1.0 allows SQL Injection via the state parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15979 | Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via the photo parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15978 | AROX School ERP PHP Script 1.0 allows SQL Injection via the office_admin/ id parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15977 | Protected Links - Expiring Download Links 1.0 allows SQL Injection via the username parameter. | HIGH | Oct 31, 2017 |
CVE-2017-15976 | ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604. | HIGH | Oct 29, 2017 |
CVE-2017-15975 | Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461. | HIGH | Oct 29, 2017 |
CVE-2017-15974 | tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 or ''=' to login.php. | HIGH | Oct 29, 2017 |
CVE-2017-15973 | Sokial Social Network Script 1.0 allows SQL Injection via the id parameter to admin/members_view.php. | HIGH | Oct 29, 2017 |
CVE-2017-15972 | SoftDatepro Dating Social Network 1.3 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15971. | HIGH | Oct 29, 2017 |
CVE-2017-15971 | Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprofile.php profid parameter, the viewmessage.php sender_id parameter, or the /admin Email field, a related issue to CVE-2017-15972. | HIGH | Oct 29, 2017 |
CVE-2017-15970 | PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index.php in a page=news action, or the cat parameter. | HIGH | Oct 29, 2017 |
CVE-2017-15969 | PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to search/tag, friends/index, users/profile, or video_catalog/category. | HIGH | Oct 29, 2017 |
CVE-2017-15968 | MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.php subcategory parameter. | HIGH | Oct 29, 2017 |
CVE-2017-15967 | Mailing List Manager Pro 3.0 allows SQL Injection via the edit parameter to admin/users in a sort=login action, or the edit parameter to admin/template. | HIGH | Oct 29, 2017 |
CVE-2017-15966 | The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! allows SQL Injection via the placemarklistid parameter to index.php. | HIGH | Oct 29, 2017 |
CVE-2017-15965 | The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joomla! allows SQL Injection via the id parameter in an invoice.create action. | HIGH | Oct 29, 2017 |
CVE-2017-15964 | Job Board Script Software allows SQL Injection via the PATH_INFO to a /job-details URI. | HIGH | Oct 29, 2017 |
CVE-2017-15963 | iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.php sc parameter or the service-provider.php ser parameter. | HIGH | Oct 29, 2017 |
CVE-2017-15962 | iStock Management System 1.0 allows Arbitrary File Upload via user/profile. | HIGH | Oct 29, 2017 |
CVE-2017-15961 | iProject Management System 1.0 allows SQL Injection via the ID parameter to index.php. | HIGH | Oct 29, 2017 |