The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2017-20003 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none | -- | Nov 7, 2023 |
| CVE-2017-20002 | The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM\'s nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges. | MEDIUM | Mar 18, 2021 |
| CVE-2017-20001 | The AES encryption project 7.x and 8.x for Drupal does not sufficiently prevent attackers from decrypting data, aka SA-CONTRIB-2017-027. NOTE: This project is not covered by Drupal\'s security advisory policy. | MEDIUM | Jan 3, 2021 |
| CVE-2017-18926 | raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml). | MEDIUM | Nov 7, 2020 |
| CVE-2017-18925 | opentmpfiles through 0.3.1 allows local users to take ownership of arbitrary files because d entries are mishandled and allow a symlink attack. | LOW | Oct 30, 2020 |
| CVE-2017-18924 | oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states \'As RFC7636 is an extension, I think the claim in the Readme of RFC 6749 compliant is valid and not misleading and I also therefore wouldn\'t describe this as a vulnerability with the library per se. | MEDIUM | Oct 5, 2020 |
| CVE-2017-18923 | beroNet VoIP Gateways before 3.0.16 have a PHP script that allows downloading arbitrary files, including ones with credentials. | MEDIUM | Jul 30, 2020 |
| CVE-2017-18922 | It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow. | HIGH | Jul 6, 2020 |
| CVE-2017-18921 | An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18920 | An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy. | HIGH | Jun 19, 2020 |
| CVE-2017-18919 | An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18918 | An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18917 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18916 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18915 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access. | HIGH | Jun 19, 2020 |
| CVE-2017-18914 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not on an allowlist. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18913 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18912 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file. | HIGH | Jun 19, 2020 |
| CVE-2017-18911 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18910 | An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. E-mail notifications can have spoofed links. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18909 | An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18908 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address. | HIGH | Jun 19, 2020 |
| CVE-2017-18907 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18906 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else\'s account. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18905 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18904 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18903 | An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18902 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18901 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18900 | An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report. | HIGH | Jun 19, 2020 |
| CVE-2017-18899 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18898 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18897 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18896 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18895 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18894 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18893 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18892 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18891 | An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18890 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18889 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18888 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts. | HIGH | Jun 19, 2020 |
| CVE-2017-18887 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator\'s e-mail address to members. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18886 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18885 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user\'s behalf. | HIGH | Jun 19, 2020 |
| CVE-2017-18884 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18883 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18882 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18881 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash command. | MEDIUM | Jun 19, 2020 |
| CVE-2017-18880 | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment. | MEDIUM | Jun 19, 2020 |
