CVEs from 2017
Total
11,610
critical
critical 1,650
high
high 5,043
medium
medium 4,169
low
low 159
% Critical
14.2%
% with KEV
0.7%
% with exploit
9.9%
Top vendors
Top products
- imagemagick 1,426
- joomla\! 932
- kanboard 848
- ntp 762
- tomcat 676
- mahara 572
- postgresql 492
- asterisk 435
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-15108 | unknown | — | — | — | spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary comm… | |||
| CVE-2017-12150 | unknown | — | — | — | It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-… | |||
| CVE-2017-5425 | unknown | — | — | — | The Gecko Media Plugin sandbox allows access to local files that match specific regular expressions. On OS OX, this matching allows access to some data in subdirectories of "/private/var" that could … | |||
| CVE-2017-15101 | unknown | — | — | — | A missing patch for a stack-based buffer overflow in findTable() was found in Red Hat version of liblouis before 2.5.4. An attacker could cause a denial of service condition or potentially even arbit… | |||
| CVE-2017-2630 | unknown | — | — | — | A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a '… | |||
| CVE-2017-12182 | unknown | — | — | — | xorg-x11-server before 1.19.5 was missing length validation in XFree86 DRI extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. | |||
| CVE-2017-12187 | unknown | — | — | — | xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code. | |||
| CVE-2017-18253 | unknown | — | — | — | An issue was discovered in ImageMagick 7.0.7. A NULL pointer dereference vulnerability was found in the function LoadOpenCLDevices in MagickCore/opencl.c, which allows attackers to cause a denial of … | |||
| CVE-2017-7755 | unknown | — | — | — | The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with el… | |||
| CVE-2017-7767 | unknown | — | — | — | The Mozilla Maintenance Service can be invoked by an unprivileged user to overwrite arbitrary files with junk data using the Mozilla Windows Updater, which runs with the Maintenance Service's privile… | |||
| CVE-2017-7782 | unknown | — | — | — | An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections. Note: This attack only affects Windows operating sys… | |||
| CVE-2017-7804 | unknown | — | — | — | The destructor function for the "WindowsDllDetourPatcher" class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location i… | |||
| CVE-2017-20189 | unknown | — | — | 2y ago | Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization | |||
| CVE-2017-20151 | unknown | — | — | 4y ago | iText RUPS XML External Entity vulnerability | |||
| CVE-2017-15682 | unknown | — | — | 4y ago | Cross site scripting in Crafter CMS | |||
| CVE-2017-15683 | unknown | — | — | 4y ago | XML injection in Crafter CMS | |||
| CVE-2017-15680 | unknown | — | — | 4y ago | Missing Authorization in Crafter CMS | |||
| CVE-2017-11365 | unknown | — | — | 4y ago | Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The compo… | |||
| CVE-2017-12622 | unknown | — | — | 4y ago | Apache Geode gfsh authorization vulnerability | |||
| CVE-2017-9796 | unknown | — | — | 4y ago | Apache Geode OQL bind parameter vulnerability | |||
| CVE-2017-15717 | unknown | — | — | 4y ago | Cross-site Scripting in Apache Sling XSS Protection API | |||
| CVE-2017-3158 | unknown | — | — | 4y ago | Apache Guacamole Race Condition vulnerability | |||
| CVE-2017-1000397 | unknown | — | — | 4y ago | MitM on Jenkins Maven Plugin | |||
| CVE-2017-1000402 | unknown | — | — | 4y ago | Jenkins Swarm Plugin Client vulnerable to man-in-the-middle attacks | |||
| CVE-2017-1000404 | unknown | — | — | 4y ago | Jenkins Delivery Pipeline Plugin Cross-site Scripting vulnerability | |||
| CVE-2017-1000389 | unknown | — | — | 4y ago | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin | |||
| CVE-2017-1000505 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin | |||
| CVE-2017-1000503 | unknown | — | — | 4y ago | Race Condition in Jenkins | |||
| CVE-2017-15697 | unknown | — | — | 4y ago | Apache NiFi XSS issue in context path handling | |||
| CVE-2017-1000502 | unknown | — | — | 4y ago | Arbitrary shell command execution in Jenkins EC2 Plugin | |||
| CVE-2017-12632 | unknown | — | — | 4y ago | Apache NiFi host header poisoning issue | |||
| CVE-2017-15712 | unknown | — | — | 4y ago | Path Traversal in Apache Oozie | |||
| CVE-2017-15696 | unknown | — | — | 4y ago | Apache Geode configuration request authorization vulnerability | |||
| CVE-2017-15692 | unknown | — | — | 4y ago | Apache Geode unsafe deserialization in TcpServer | |||
| CVE-2017-15693 | unknown | — | — | 4y ago | Apache Geode unsafe deserialization of application objects | |||
| CVE-2017-1000425 | unknown | — | — | 4y ago | Liferay Portal XSS vulnerability via movie parameter in the /html/portal/flash.jsp page | |||
| CVE-2017-16790 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST … | |||
| CVE-2017-16652 | unknown | — | — | 4y ago | An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler t… | |||
| CVE-2017-16654 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the … | |||
| CVE-2017-15706 | unknown | — | — | 4y ago | As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorit… | |||
| CVE-2017-1000399 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-1000504 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2017-1000395 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-1000396 | unknown | — | — | 4y ago | Improper Certificate Validation in Jenkins | |||
| CVE-2017-1000398 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-1000401 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000394 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000391 | unknown | — | — | 4y ago | Improper Input Validation in Jenkins | |||
| CVE-2017-1000392 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-1000393 | unknown | — | — | 4y ago | OS Command Injection in Jenkins | |||
| CVE-2017-15089 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Infinispan | |||
| CVE-2017-1000386 | unknown | — | — | 4y ago | Cross-site Scripting in Jenkins Active Choices plugin | |||
| CVE-2017-15719 | unknown | — | — | 4y ago | Cross-site Scripting in wicket-jquery-ui | |||
| CVE-2017-15691 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Apache uimaj | |||
| CVE-2017-9795 | unknown | — | — | 4y ago | Apache Geode OQL method invocation vulnerability | |||
| CVE-2017-1000190 | unknown | — | — | 4y ago | SimpleXML has XML External Entity (XXE) vulnerability | |||
| CVE-2017-1000426 | unknown | — | — | 4y ago | MapProxy version 1.10.3 and older is vulnerable to a Cross Site Scripting attack in the demo service resulting in possible information disclosure. | |||
| CVE-2017-18191 | unknown | — | — | 4y ago | An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt t… | |||
| CVE-2017-16653 | unknown | — | — | 4y ago | An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token… | |||
| CVE-2017-1000387 | unknown | — | — | 4y ago | Jenkins Build-Publisher plugin has Insufficiently Protected Credentials | |||
| CVE-2017-1000403 | unknown | — | — | 4y ago | Arbitrary code execution vulnerability in Jenkins Speaks! Plugin | |||
| CVE-2017-12165 | unknown | — | — | 4y ago | Undertow Request Smuggling vulnerability | |||
| CVE-2017-12197 | unknown | — | — | 4y ago | Improper Input Validation in libpam4j | |||
| CVE-2017-12196 | unknown | — | — | 4y ago | Incorrect Authorization in Undertow | |||
| CVE-2017-2602 | unknown | — | — | 4y ago | Incomplete List of Disallowed Inputs in Jenkins | |||
| CVE-2017-2598 | unknown | — | — | 4y ago | Inadequate Encryption Strength in Jenkins | |||
| CVE-2017-2600 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2594 | unknown | — | — | 4y ago | Path Traversal in io.hawt:project | |||
| CVE-2017-2589 | unknown | — | — | 4y ago | Insecure cookie sharing in Hawtio | |||
| CVE-2017-2606 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2608 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Jenkins | |||
| CVE-2017-2610 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-2613 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins | |||
| CVE-2017-2604 | unknown | — | — | 4y ago | Improper Authentication in Jenkins | |||
| CVE-2017-2609 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2607 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in Jenkins | |||
| CVE-2017-2603 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins | |||
| CVE-2017-2612 | unknown | — | — | 4y ago | Incorrect Permission Assignment for Critical Resource in Jenkins | |||
| CVE-2017-2638 | unknown | — | — | 4y ago | Infinispan Rest API Does Not Enforce Auth Constraints | |||
| CVE-2017-2649 | unknown | — | — | 4y ago | Jenkins Active Directory Plugin did not verify certificate of AD server | |||
| CVE-2017-2648 | unknown | — | — | 4y ago | Jenkins SSH Build Agents Plugin did not verify host keys | |||
| CVE-2017-2650 | unknown | — | — | 4y ago | Jenkins Pipeline Classpath Step plugin allowed Script Security sandbox bypass | |||
| CVE-2017-2654 | unknown | — | — | 4y ago | Emails were sent to addresses not associated with actual users of Jenkins by Email Extension Plugin | |||
| CVE-2017-2651 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins-mailer-plugin | |||
| CVE-2017-2652 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Distributed Fork Plugin | |||
| CVE-2017-3202 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Flamingo amf-serializer | |||
| CVE-2017-3203 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Spring-flex | |||
| CVE-2017-7545 | unknown | — | — | 4y ago | XML External Entity Reference in jbpmmigration | |||
| CVE-2017-7559 | unknown | — | — | 4y ago | Undertow vulnerable to Request Smuggling | |||
| CVE-2017-3199 | unknown | — | — | 4y ago | GraniteDS Insecure Deserialization | |||
| CVE-2017-3200 | unknown | — | — | 4y ago | GraniteDS Insecure Deserialization | |||
| CVE-2017-12610 | unknown | — | — | 4y ago | Improper Authentication in Apache Kafka | |||
| CVE-2017-1000400 | unknown | — | — | 4y ago | Missing Authorization in Jenkins | |||
| CVE-2017-15695 | unknown | — | — | 4y ago | Apache Geode vulnerable to Incorrect Authorization | |||
| CVE-2017-1000390 | unknown | — | — | 4y ago | Jenkins Multijob plugin did not check permissions in the Resume Build action | |||
| CVE-2017-1000388 | unknown | — | — | 4y ago | Jenkins Dependency Graph Viewer plugin vulnerable to missing permission checks | |||
| CVE-2017-2611 | unknown | — | — | 4y ago | Incorrect Authorization in Jenkins Core | |||
| CVE-2017-2599 | unknown | — | — | 4y ago | Incorrect Authorization in Jenkins | |||
| CVE-2017-12174 | unknown | — | — | 4y ago | Uncontrolled Resource Consumption in Artemis and HornetQ | |||
| CVE-2017-1000487 | unknown | — | — | 4y ago | OS Command Injection in Plexus-utils |