CVEs from 2017
Total
11,609
critical
critical 1,650
high
high 5,044
medium
medium 4,169
low
low 159
% Critical
14.2%
% with KEV
0.7%
% with exploit
9.9%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-5166 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in BINOM3 Universal Multifunctional Electric Power Quality Meter. An INFORMATION EXPOSURE flaw can be used to gain privileged access to the device. | |||
| CVE-2017-5159 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered on Phoenix Contact mGuard devices that have been updated to Version 8.4.0. When updating an mGuard device to Version 8.4.0 via the update-upload facility, the update will succ… | |||
| CVE-2017-5154 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack… | |||
| CVE-2017-5144 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. The access control flaw allows access to most application functions wi… | |||
| CVE-2017-5140 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Password is stored in clear text. | |||
| CVE-2017-5139 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Any user is able to disclose a password by accessing a speci… | |||
| CVE-2017-5954 | critical | 9.8 | 9.8 | 9y ago | Code Execution Through IIFE in serialize-to-js | |||
| CVE-2017-5953 | critical | 9.8 | 9.8 | 9y ago | vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer over… | |||
| CVE-2017-5180 | high | 8.8 | 9.8 | 9y ago | Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users … | |||
| CVE-2017-3807 | high | 8.8 | 9.8 | 9y ago | A vulnerability in Common Internet Filesystem (CIFS) code in the Clientless SSL VPN functionality of Cisco ASA Software, Major Releases 9.0-9.6, could allow an authenticated, remote attacker to cause… | |||
| CVE-2017-2765 | critical | 9.8 | 9.8 | 10y ago | EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0, 3.0.1, 3.0.0 is affected by an authentication bypass vulnerability that could potentially be exploited by attackers to com… | |||
| CVE-2017-5677 | critical | 9.8 | 9.8 | 10y ago | PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression. | |||
| CVE-2017-5879 | critical | 9.8 | 9.8 | 10y ago | An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to… | |||
| CVE-2017-2768 | critical | 9.8 | 9.8 | 10y ago | EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contai… | |||
| CVE-2017-2767 | critical | 9.8 | 9.8 | 10y ago | EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configuration Manager (NCM) 9.4.0.x, EMC Network Configuration Manager (NCM) 9.4.1.x, EMC Network Configuration Manager (NCM) 9.4.2.x contai… | |||
| CVE-2017-2766 | critical | 9.8 | 9.8 | 10y ago | EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom version 7.4.4 SP1, EMC Documentum eRoom version prior to 7.4.5 P04, EMC Documentum eRoom version prior to 7.5.0 P01 includes an unverified pas… | |||
| CVE-2017-5600 | critical | 9.8 | 9.8 | 10y ago | The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 allows remote attackers to obtain administrative access by leveraging a default privileged account. | |||
| CVE-2017-5219 | critical | 9.8 | 9.8 | 10y ago | An issue was discovered in SageCRM 7.x before 7.3 SP3. The Component Manager functionality, provided by SageCRM, permits additional components to be added to the application to enhance provided funct… | |||
| CVE-2017-3792 | critical | 9.8 | 9.8 | 10y ago | A vulnerability in a proprietary device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU) Software could allow an unauthenticated, remote attacker to execute arbitrary code or … | |||
| CVE-2017-3823 | high | 8.8 | 9.8 | 10y ago | An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Container before 106 on Mozilla Firefox, the GpcContainer Class ActiveX control plug… | |||
| CVE-2017-5611 | critical | 9.8 | 9.8 | 10y ago | SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected… | |||
| CVE-2017-5486 | critical | 9.8 | 9.8 | 10y ago | The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). | |||
| CVE-2017-5485 | critical | 9.8 | 9.8 | 10y ago | The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in addrtoname.c:lookup_nsap(). | |||
| CVE-2017-5484 | critical | 9.8 | 9.8 | 10y ago | The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print-atm.c:sig_print(). | |||
| CVE-2017-5483 | critical | 9.8 | 9.8 | 10y ago | The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print-snmp.c:asn1_parse(). | |||
| CVE-2017-5482 | critical | 9.8 | 9.8 | 10y ago | The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in print-fr.c:q933_print(), a different vulnerability than CVE-2016-8575. | |||
| CVE-2017-5342 | critical | 9.8 | 9.8 | 10y ago | In tcpdump before 4.9.0, a bug in multiple protocol parsers (Geneve, GRE, NSH, OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in print-ether.c:ether_print(). | |||
| CVE-2017-5341 | critical | 9.8 | 9.8 | 10y ago | The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print-otv.c:otv_print(). | |||
| CVE-2017-5205 | critical | 9.8 | 9.8 | 10y ago | The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in print-isakmp.c:ikev2_e_print(). | |||
| CVE-2017-5204 | critical | 9.8 | 9.8 | 10y ago | The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print-ip6.c:ip6_print(). | |||
| CVE-2017-5203 | critical | 9.8 | 9.8 | 10y ago | The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in print-bootp.c:bootp_print(). | |||
| CVE-2017-5202 | critical | 9.8 | 9.8 | 10y ago | The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in print-isoclns.c:clnp_print(). | |||
| CVE-2017-3266 | critical | 9.8 | 9.8 | 10y ago | Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.2 and 8.5.3. Easily exploitabl… | |||
| CVE-2017-5569 | critical | 9.8 | 9.8 | 10y ago | An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. This is a blind SQL injection within the template.jsp, which can be exploited without the need of authentication and via an HTTP… | |||
| CVE-2017-5575 | critical | 9.8 | 9.8 | 10y ago | SQL injection vulnerability in inc/lib/Options.class.php in GeniXCMS before 1.0.0 allows remote attackers to execute arbitrary SQL commands via the modules parameter. | |||
| CVE-2017-5574 | critical | 9.8 | 9.8 | 10y ago | SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 allows unauthenticated users to execute arbitrary SQL commands via the activation parameter. | |||
| CVE-2017-5543 | critical | 9.8 | 9.8 | 10y ago | Subrion CMS PHP Object Injection | |||
| CVE-2017-5519 | critical | 9.8 | 9.8 | 10y ago | SQL injection vulnerability in Posts.class.php in GeniXCMS through 0.0.8 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2017-5517 | critical | 9.8 | 9.8 | 10y ago | SQL injection vulnerability in author.control.php in GeniXCMS through 0.0.8 allows remote attackers to execute arbitrary SQL commands via the type parameter. | |||
| CVE-2017-5473 | high | 8.8 | 9.8 | 10y ago | Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user… | |||
| CVE-2017-5340 | critical | 9.8 | 9.8 | 10y ago | Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial o… | |||
| CVE-2017-2935 | high | 8.8 | 9.8 | 10y ago | Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when processing the Flash Video container file format. Successful exploitation could lead to arbitra… | |||
| CVE-2017-2934 | high | 8.8 | 9.8 | 10y ago | Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability when parsing Adobe Texture Format files. Successful exploitation could lead to arbitrary code execut… | |||
| CVE-2017-2933 | high | 8.8 | 9.8 | 10y ago | Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable heap overflow vulnerability related to texture compression. Successful exploitation could lead to arbitrary code execution. | |||
| CVE-2017-2932 | high | 8.8 | 9.8 | 10y ago | Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable use after free vulnerability in the ActionScript MovieClip class. Successful exploitation could lead to arbitrary code execution. | |||
| CVE-2017-2931 | high | 8.8 | 9.8 | 10y ago | Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability related to the parsing of SWF metadata. Successful exploitation could lead to arbitrary code exe… | |||
| CVE-2017-2930 | high | 8.8 | 9.8 | 10y ago | Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable memory corruption vulnerability due to a concurrency error when manipulating a display list. Successful exploitation could lead … | |||
| CVE-2017-5005 | critical | 9.8 | 9.8 | 10y ago | Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 and earlier, Total Security 10.1.0.316 and earlier, and AntiVirus Pro 10.1.0.316 and earlier on OS X allows remote attackers to … | |||
| CVE-2017-14589 | critical | 9.6 | 9.6 | 9y ago | It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that … | |||
| CVE-2017-12372 | critical | 9.6 | 9.6 | 9y ago | A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.… | |||
| CVE-2017-12371 | critical | 9.6 | 9.6 | 9y ago | A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.… | |||
| CVE-2017-12370 | critical | 9.6 | 9.6 | 9y ago | A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.… | |||
| CVE-2017-12369 | critical | 9.6 | 9.6 | 9y ago | A "Cisco WebEx Network Recording Player Out-of-Bounds Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. A remot… | |||
| CVE-2017-12368 | critical | 9.6 | 9.6 | 9y ago | A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files.… | |||
| CVE-2017-12367 | critical | 9.6 | 9.6 | 9y ago | A "Cisco WebEx Network Recording Player Denial of Service Vulnerability" exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. A r… | |||
| CVE-2017-3891 | critical | 9.6 | 9.6 | 9y ago | In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more Q… | |||
| CVE-2017-5053 | critical | 9.6 | 9.6 | 9y ago | arbitrary code execution in chromium | |||
| CVE-2017-15644 | high | 8.6 | 9.6 | 9y ago | SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as demonstrated by a GET request for tunnel/link.cgi/http://INTRANET-IP:8000. | |||
| CVE-2017-10346 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u14… | |||
| CVE-2017-10285 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. E… | |||
| CVE-2017-10111 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 8u131; Java SE Embedded: 8u131. Easily exploit… | |||
| CVE-2017-10110 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthe… | |||
| CVE-2017-10107 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easi… | |||
| CVE-2017-10101 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Eas… | |||
| CVE-2017-10096 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Eas… | |||
| CVE-2017-10090 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131. Easil… | |||
| CVE-2017-10089 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows una… | |||
| CVE-2017-10087 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131… | |||
| CVE-2017-10086 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u141 and 8u131. Easily exploitable vulnerability allows unauthentic… | |||
| CVE-2017-3882 | critical | 9.6 | 9.6 | 9y ago | A vulnerability in the Universal Plug-and-Play (UPnP) implementation in the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, Layer 2-adjacent attacker to execute arbitrary code or … | |||
| CVE-2017-3510 | critical | 9.6 | 9.6 | 9y ago | Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel Zones virtualized NIC driver). The supported version that is affected is 11.3. Easily "exploitable" v… | |||
| CVE-2017-3289 | critical | 9.6 | 9.6 | 10y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily … | |||
| CVE-2017-3272 | critical | 9.6 | 9.6 | 10y ago | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111… | |||
| CVE-2017-15408 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-15392 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-7771 | critical | — | 9.5 | — | Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphite2::Pass::readPass function. | |||
| CVE-2017-15422 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-5393 | critical | — | 9.5 | — | The "mozAddonManager" allows for the installation of extensions from the CDN for addons.mozilla.org, a publicly accessible site. This could allow malicious extensions to install additional extensions… | |||
| CVE-2017-5402 | critical | — | 9.5 | — | A use-after-free can occur when events are fired for a "FontFace" object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. Th… | |||
| CVE-2017-5133 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-15393 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-5414 | critical | — | 9.5 | — | The file picker dialog can choose and display the wrong local default directory when instantiated. On some operating systems, this can lead to information disclosure, such as the operating system or … | |||
| CVE-2017-15387 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-5417 | critical | — | 9.5 | — | When dragging content from the primary browser pane to the addressbar on a malicious site, it is possible to change the addressbar so that the displayed location following navigation does not match t… | |||
| CVE-2017-12379 | critical | — | 9.5 | — | ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute ar… | |||
| CVE-2017-5418 | critical | — | 9.5 | — | An out of bounds read error occurs when parsing some HTTP digest authorization responses, resulting in information leakage through the reading of random memory containing matches to specifically set … | |||
| CVE-2017-15409 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-5456 | critical | — | 9.5 | — | A mechanism to bypass file system access protections in the sandbox using the file system request constructor through an IPC message. This allows for read and write access to the local file system. T… | |||
| CVE-2017-15418 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-5449 | critical | — | 9.5 | — | A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, … | |||
| CVE-2017-7757 | critical | — | 9.5 | — | A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerab… | |||
| CVE-2017-5391 | critical | — | 9.5 | — | Special "about:" pages used by web content, such as RSS feeds, can load privileged "about:" pages in an iframe. If a content-injection bug were found in one of those pages this could allow for potent… | |||
| CVE-2017-7780 | critical | — | 9.5 | — | Memory safety bugs were reported in Firefox 54. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary c… | |||
| CVE-2017-5398 | critical | — | 9.5 | — | Memory safety bugs were reported in Thunderbird 45.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbit… | |||
| CVE-2017-7789 | critical | — | 9.5 | — | If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connectio… | |||
| CVE-2017-7797 | critical | — | 9.5 | — | Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin. This vulnerabilit… | |||
| CVE-2017-7798 | critical | — | 9.5 | — | The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when open… | |||
| CVE-2017-5439 | critical | — | 9.5 | — | A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Fire… | |||
| CVE-2017-5128 | critical | — | 9.5 | — | multiple issues in chromium | |||
| CVE-2017-5396 | critical | — | 9.5 | — | A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. This vulnerability affects Thunderbird < 4… |