The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2017-1000491 | Shiba markdown live preview app version 1.1.0 is vulnerable to XSS which leads to code execution due to enabled node integration. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000490 | Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000489 | Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000488 | Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000487 | Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. | HIGH | Jan 3, 2018 |
| CVE-2017-1000486 | Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution | HIGH | Jan 3, 2018 |
| CVE-2017-1000485 | Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations. | LOW | Jan 3, 2018 |
| CVE-2017-1000484 | By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.) | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000483 | Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000482 | A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page. | LOW | Jan 3, 2018 |
| CVE-2017-1000481 | When you visit a page where you need to login, Plone 2.5-5.1rc1 sends you to the login form with a 'came_from' parameter set to the previous url. After you login, you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login, and get redirected to the site of the attacker, letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone, using the `isURLInPortal` check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered, and fixed with this hotfix. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000480 | Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | HIGH | Jan 3, 2018 |
| CVE-2017-1000479 | pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under possibly insecure suspicions. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000478 | ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in the experiment infos component resulting in arbitrary execution of JavaScript and denial of service. | LOW | Jan 3, 2018 |
| CVE-2017-1000477 | XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result in denial of service attacks. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000476 | ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. | HIGH | Jan 3, 2018 |
| CVE-2017-1000475 | FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges. | MEDIUM | Jan 24, 2018 |
| CVE-2017-1000474 | Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is vulnerable to multiple SQL Injecting in login/vehicle.php, login/profile.php, login/Actions.php, login/manage_employee.php, and login/sell.php scripts resulting in the expose of user's login credentials, SQL Injection and Stored XSS vulnerability, which leads to remote code executing. | HIGH | Jan 24, 2018 |
| CVE-2017-1000473 | Linux Dash up to version v2 is vulnerable to multiple command injection vulnerabilities in the way module names are parsed and then executed resulting in code execution on the server, potentially as root. | HIGH | Jan 3, 2018 |
| CVE-2017-1000472 | The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a file path injection vulnerability. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000471 | EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service. | HIGH | Jan 3, 2018 |
| CVE-2017-1000470 | EmbedThis GoAhead Webserver versions 4.0.0 and earlier is vulnerable to an integer overflow in the HTTP listener resulting in denial of service. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000469 | Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the add repo component resulting in arbitrary code execution as root user. | HIGH | Jan 3, 2018 |
| CVE-2017-1000468 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2017-1000467 | LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code. | LOW | Jan 3, 2018 |
| CVE-2017-1000466 | Invoice Ninja version 3.8.1 is vulnerable to stored cross-site scripting vulnerability, within the invoice creation page, which can result in disruption of service and execution of javascript code. | LOW | Jan 2, 2018 |
| CVE-2017-1000465 | Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripting vulnerability, within the page creation page, which can result in disruption of service and execution of javascript code. | LOW | Jan 9, 2018 |
| CVE-2017-1000464 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
| CVE-2017-1000463 | Leafpub version 1.2.0-beta6 is vulnerable to stored cross-site scripting vulnerability, within the edit blog post page, which can result in disruption of service and execution of javascript code. | LOW | Jan 2, 2018 |
| CVE-2017-1000462 | BookStack version 0.18.4 is vulnerable to stored cross-site scripting, within the page creation page, which can result in disruption of service and execution of javascript code. | LOW | Jan 3, 2018 |
| CVE-2017-1000461 | Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the JS fingerprinting blocking component, resulting in a malicious website being able to access the fingerprinting-associated browser functionality (that the browser intends to block). | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000460 | In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(&gb) is called on an uninitialized get_bits context, which causes a NULL deref exception. | MEDIUM | Jan 3, 2018 |
| CVE-2017-1000459 | Leanote version <= 2.5 is vulnerable to XSS due to not sanitized input in markdown notes | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000458 | Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ContentLine analyzer allowing remote attackers to cause a denial of service (crash) and possibly other exploitation. | HIGH | Jan 2, 2018 |
| CVE-2017-1000457 | Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal version 2.5.0.0 allows remote attackers to inject arbitrary web script or HTML via the helpkey parameter. Exploitation requires authenticated reflected cross-site scripting for user accounts assigned either the Administrators or Content Administrators role. | LOW | Jan 2, 2018 |
| CVE-2017-1000456 | freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow in subsequent calculations. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000455 | GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in the store, violating a fundamental security assumption of GNU Guix. | LOW | Jan 2, 2018 |
| CVE-2017-1000454 | CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1 | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000453 | CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution. | HIGH | Jan 2, 2018 |
| CVE-2017-1000452 | An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and earlier, and in predecessor Express-saml2 which could allow attackers to impersonate arbitrary users. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000451 | fs-git is a file system like api for git repository. The fs-git version 1.0.1 module relies on child_process.exec, however, the buildCommand method used to construct exec strings does not properly sanitize data and is vulnerable to command injection across all methods that use it and call exec. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000450 | In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and FillUniGray do not check the input length, which can lead to integer overflow. If the image is from remote, may lead to remote code execution or denial of service. This affects Opencv 3.3 and earlier. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000449 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA due to lack of a reference providing provenance. Notes: none | -- | Nov 7, 2023 |
| CVE-2017-1000448 | Structured Data Linter versions 2.4.1 and older are vulnerable to a directory traversal attack in the URL input field resulting in the possibility of disclosing information about the remote host. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000447 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-15955. Reason: This candidate is a reservation duplicate of CVE-2017-15955. Notes: All CVE users should reference CVE-2017-15955 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 |
| CVE-2017-1000446 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-15954. Reason: This candidate is a reservation duplicate of CVE-2017-15954. Notes: All CVE users should reference CVE-2017-15954 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 |
| CVE-2017-1000445 | ImageMagick 7.0.7-1 and older version are vulnerable to null pointer dereference in the MagickCore component and might lead to denial of service | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000444 | Eleix Openhacker version 0.1.47 is vulnerable to an SQL injection in the account registration and login component resulting in information disclosure and remote code execution | HIGH | Jan 2, 2018 |
| CVE-2017-1000443 | Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability in the bank transactions component resulting in arbitrary code execution in the browser. | MEDIUM | Jan 2, 2018 |
| CVE-2017-1000442 | Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace | LOW | Jan 2, 2018 |
