The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2017-1002157 | modulemd 1.3.1 and earlier uses an unsafe function for processing externally provided data, leading to remote code execution. | HIGH | Jan 10, 2019 |
| CVE-2017-1002153 | Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission. | MEDIUM | Oct 6, 2017 |
| CVE-2017-1002152 | Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles. | MEDIUM | Jan 10, 2019 |
| CVE-2017-1002151 | Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization | MEDIUM | Oct 16, 2019 |
| CVE-2017-1002150 | python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection | Medium | Sep 21, 2017 |
| CVE-2017-1002102 | In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running. | MEDIUM | Mar 13, 2018 |
| CVE-2017-1002101 | In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host\'s filesystem. | MEDIUM | Mar 13, 2018 |
| CVE-2017-1002100 | Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to container which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal. | MEDIUM | Sep 14, 2017 |
| CVE-2017-1002028 | Vulnerability in wordpress plugin wordpress-gallery-transformation v1.0, SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being unsanitized before being passed into an SQL query. | High | Sep 20, 2017 |
| CVE-2017-1002027 | Vulnerability in wordpress plugin rk-responsive-contact-form v1.0, The variable $delid isn't sanitized before being passed into an SQL query in file ./rk-responsive-contact-form/include/rk_user_list.php. | High | Sep 20, 2017 |
| CVE-2017-1002026 | Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement. | Medium | Sep 20, 2017 |
| CVE-2017-1002025 | Vulnerability in wordpress plugin add-edit-delete-listing-for-member-module v1.0, The plugin author does not sanitize user supplied input via $act before passing it into an SQL statement. | Medium | Sep 21, 2017 |
| CVE-2017-1002024 | Vulnerability in web application Kind Editor v4.1.12, kindeditor/php/upload_json.php does not check authentication before allow users to upload files. | MEDIUM | Sep 14, 2017 |
| CVE-2017-1002023 | Vulnerability in wordpress plugin Easy Team Manager v1.3.2, The code does not sanitize id before making it part of an SQL statement in file ./easy-team-manager/inc/easy_team_manager_desc_edit.php | High | Sep 21, 2017 |
| CVE-2017-1002022 | Vulnerability in wordpress plugin surveys v1.01.8, The code in questions.php does not sanitize the survey variable before placing it inside of an SQL query. | High | Sep 18, 2017 |
| CVE-2017-1002021 | Vulnerability in wordpress plugin surveys v1.01.8, The code in individual_responses.php does not sanitize the survey_id variable before placing it inside of an SQL query. | High | Sep 18, 2017 |
| CVE-2017-1002020 | Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_form.php does not sanitize the action variable before placing it inside of an SQL query. | High | Sep 19, 2017 |
| CVE-2017-1002019 | Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and event_form.php code do not sanitize input, this allows for blind SQL injection via the event parameter. | High | Sep 18, 2017 |
| CVE-2017-1002018 | Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form and attendees.php code do not sanitize input, this allows for blind SQL injection via the event parameter. | High | Sep 18, 2017 |
| CVE-2017-1002017 | Vulnerability in wordpress plugin gift-certificate-creator v1.0, The code in gc-list.php doesn't sanitize user input to prevent a stored XSS vulnerability. | Medium | Sep 21, 2017 |
| CVE-2017-1002016 | Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code in flickr-picture-download.php doesn't check to see if the user is authenticated or that they have permission to upload files. | HIGH | Sep 14, 2017 |
| CVE-2017-1002015 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via selectMulGallery parameter. | High | Sep 20, 2017 |
| CVE-2017-1002014 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection in image-gallery-with-slideshow/admin_setting.php via gallery_name parameter. | High | Sep 20, 2017 |
| CVE-2017-1002013 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/admin_setting.php. | High | Sep 20, 2017 |
| CVE-2017-1002012 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, In image-gallery-with-slideshow/admin_setting.php the following snippet of code does not sanitize input via the gid variable before passing it into an SQL statement. | High | Sep 20, 2017 |
| CVE-2017-1002011 | Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, There is a stored XSS vulnerability via the $value->gallery_name and $value->gallery_description where anyone with privileges to modify or add galleries/images and inject javascript into the database. | Low | Sep 20, 2017 |
| CVE-2017-1002010 | Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete_media function. | High | Sep 21, 2017 |
| CVE-2017-1002009 | Vulnerability in wordpress plugin Membership Simplified v1.58, The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via recordId in the delete function. | High | Sep 21, 2017 |
| CVE-2017-1002008 | Vulnerability in wordpress plugin membership-simplified-for-oap-members-only v1.58, The file download code located membership-simplified-for-oap-members-only/download.php does not check whether a user is logged in and has download privileges. | HIGH | Sep 15, 2017 |
| CVE-2017-1002007 | Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_mail.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table. | Medium | Sep 18, 2017 |
| CVE-2017-1002006 | Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/save_contact.php doesn't check that the user is authorized before injecting new contacts into the wp_contact table. | Medium | Sep 18, 2017 |
| CVE-2017-1002005 | Vulnerability in wordpress plugin DTracker v1.5, In file ./dtracker/delete.php user input isn't sanitized via the contact_id variable before adding it to the end of an SQL query. | Medium | Sep 18, 2017 |
| CVE-2017-1002004 | Vulnerability in wordpress plugin DTracker v1.5, In file ./dtracker/download.php user input isn't sanitized via the id variable before adding it to the end of an SQL query. | Medium | Sep 18, 2017 |
| CVE-2017-1002003 | Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android-app v1.1.4, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. | HIGH | Sep 15, 2017 |
| CVE-2017-1002002 | Vulnerability in wordpress plugin webapp-builder v2.0, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/ | HIGH | Sep 15, 2017 |
| CVE-2017-1002001 | Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05, The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com. | HIGH | Sep 15, 2017 |
| CVE-2017-1002000 | Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easytouch v3.0, The code in file ./mobile-friendly-app-builder-by-easytouch/server/images.php doesn't require authentication or check that the user is allowed to upload content. | HIGH | Sep 15, 2017 |
| CVE-2017-1001004 | typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. | MEDIUM | Nov 27, 2017 |
| CVE-2017-1001003 | math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object. | HIGH | Nov 27, 2017 |
| CVE-2017-1001002 | math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. | HIGH | Nov 27, 2017 |
| CVE-2017-1001001 | PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. | LOW | Nov 1, 2017 |
| CVE-2017-1001000 | The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. | MEDIUM | Apr 10, 2017 |
| CVE-2017-1000600 | WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 | MEDIUM | Sep 6, 2018 |
| CVE-2017-1000510 | Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) vulnerability in Page name that can result in execution of javascript code. | LOW | Feb 9, 2018 |
| CVE-2017-1000509 | Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript code. | LOW | Feb 9, 2018 |
| CVE-2017-1000508 | Invoice Plane version 1.5.4 and earlier contains a Cross Site Scripting (XSS) vulnerability in Client's details that can result in execution of javascript code . This vulnerability appears to have been fixed in 1.5.5 and later. | MEDIUM | Feb 9, 2018 |
| CVE-2017-1000507 | Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulnerability in User's details that can result in denial of service and execution of javascript code. | LOW | Feb 9, 2018 |
| CVE-2017-1000506 | Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in Company's name that can result in denial of service and execution of javascript code. | MEDIUM | Feb 9, 2018 |
| CVE-2017-1000505 | In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | MEDIUM | Jan 25, 2018 |
| CVE-2017-1000504 | A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the \'Please wait while Jenkins is getting ready to work\' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | MEDIUM | Jan 24, 2018 |
