CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2017 (CVSS score >= 3)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2006-5331 19 DoS 2017-10-29 2017-11-17
4.9
None Local Low Not required None None Complete
The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction.
2 CVE-2008-7315 77 Exec Code 2017-10-10 2017-11-03
7.5
None Remote Low Not required Partial Partial Partial
UI-Dialog 1.09 and earlier allows remote attackers to execute arbitrary commands.
3 CVE-2009-1197 20 2017-10-30 2017-11-27
5.0
None Remote Low Not required None Partial None
Apache jUDDI before 2.0 allows attackers to spoof entries in log files via vectors related to error logging of keys from uddiget.jsp.
4 CVE-2009-1198 79 XSS 2017-10-30 2017-11-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp.
5 CVE-2010-2232 284 2017-10-23 2017-10-27
5.0
None Remote Low Not required None Partial None
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file.
6 CVE-2010-3659 79 XSS 2017-10-20 2017-11-07
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms.
7 CVE-2011-1935 2017-10-20 2021-06-15
7.5
None Remote Low Not required Partial Partial Partial
pcap-linux.c in libpcap 1.1.1 before commit ea9432fabdf4b33cbc76d9437200e028f1c47c93 when snaplen is set may truncate packets, which might allow remote attackers to send arbitrary data while avoiding detection via crafted packets.
8 CVE-2011-2683 254 2017-10-23 2017-11-21
4.3
None Remote Medium Not required Partial None None
reseed seeds random numbers from an insecure HTTP request to random.org during installation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a man-in-the-middle attack.
9 CVE-2011-4333 79 XSS 2017-10-23 2019-10-17
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) from parameter to index.php or the (2) page_no parameter to recentchanges.php.
10 CVE-2011-4334 434 2017-10-23 2017-10-25
6.5
None Remote Low ??? Partial Partial Partial
edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter.
11 CVE-2012-0881 399 DoS 2017-10-30 2021-09-28
7.8
None Remote Low Not required None None Complete
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
12 CVE-2012-1622 Exec Code 2017-10-26 2017-11-14
7.5
None Remote Low Not required Partial Partial Partial
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors.
13 CVE-2012-4377 79 XSS 2017-10-26 2017-10-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.
14 CVE-2012-4378 79 XSS 2017-10-26 2017-10-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php.
15 CVE-2012-4379 284 2017-10-19 2017-10-31
4.3
None Remote Medium Not required None Partial None
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.
16 CVE-2012-4380 284 Bypass 2017-10-19 2017-10-31
5.0
None Remote Low Not required None Partial None
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
17 CVE-2012-4382 200 +Info 2017-10-19 2017-10-31
4.0
None Remote Low ??? Partial None None
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.
18 CVE-2012-4449 327 2017-10-30 2017-11-21
7.5
None Remote Low Not required Partial Partial Partial
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
19 CVE-2012-4567 79 XSS 2017-10-23 2017-11-15
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in (1) inc/inc.ClassUI.php or (2) out/out.DocumentNotify.php.
20 CVE-2012-4568 352 CSRF 2017-10-23 2017-11-14
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
21 CVE-2012-4569 79 XSS 2017-10-23 2017-11-14
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in out/out.UsrMgr.php in LetoDMS (formerly MyDMS) before 3.3.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
22 CVE-2012-4570 89 Exec Code Sql 2017-10-23 2017-11-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in LetoDMS_Core/Core/inc.ClassDMS.php in LetoDMS (formerly MyDMS) before 3.3.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
23 CVE-2012-5357 19 Exec Code 2017-10-30 2017-11-18
7.5
None Remote Low Not required Partial Partial Partial
Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data.
24 CVE-2012-5358 19 DoS Bypass 2017-10-30 2017-11-18
7.5
None Remote Low Not required Partial Partial Partial
The XSLTCompiledTransform function in Ektron Content Management System (CMS) before 8.02 SP5 configures the XSL with enableDocumentFunction set to true, which allows remote attackers to read arbitrary files and consequently bypass authentication, modify viewstate, cause a denial of service, or possibly have unspecified other impact via crafted XSL data.
25 CVE-2012-5636 79 XSS 2017-10-30 2017-11-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
26 CVE-2012-6707 326 2017-10-19 2017-11-13
5.0
None Remote Low Not required Partial None None
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
27 CVE-2013-3734 255 +Info 2017-10-24 2017-11-17
6.0
None Remote Medium ??? Partial Partial Partial
** DISPUTED ** The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console.
28 CVE-2013-4246 284 DoS +Info 2017-10-30 2017-11-18
6.5
None Remote Low ??? Partial Partial Partial
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.
29 CVE-2013-4366 20 2017-10-30 2020-07-28
7.5
None Remote Low Not required Partial Partial Partial
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.
30 CVE-2013-6049 20 2017-10-20 2017-11-08
4.6
None Local Low Not required Partial Partial Partial
apt-listbugs before 0.1.10 creates temporary files insecurely, which allows attackers to have unspecified impact via unknown vectors.
31 CVE-2013-6924 77 Exec Code 2017-10-11 2017-11-03
10.0
None Remote Low Not required Complete Complete Complete
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php.
32 CVE-2013-7377 77 Exec Code 2017-10-23 2017-11-21
6.8
None Remote Medium Not required Partial Partial Partial
The codem-transcode module before 0.5.0 for Node.js, when ffprobe is enabled, allows remote attackers to execute arbitrary commands via a POST request to /probe.
33 CVE-2014-0029 79 XSS 2017-10-16 2017-11-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
34 CVE-2014-0030 611 2017-10-10 2019-05-06
7.5
None Remote Low Not required Partial Partial Partial
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
35 CVE-2014-0043 200 +Info 2017-10-03 2017-10-11
5.0
None Remote Low Not required Partial None None
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
36 CVE-2014-0047 2017-10-06 2017-10-13
4.6
None Local Low Not required Partial Partial Partial
Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage.
37 CVE-2014-0072 20 2017-10-30 2018-10-09
5.0
None Remote Low Not required None Partial None
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option.
38 CVE-2014-0073 264 +Priv 2017-10-30 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.
39 CVE-2014-0115 22 Dir. Trav. 2017-10-30 2017-11-15
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
40 CVE-2014-0208 79 XSS 2017-10-16 2017-11-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.
41 CVE-2014-0691 331 Bypass 2017-10-24 2017-11-14
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643.
42 CVE-2014-1203 77 Exec Code 2017-10-24 2019-12-11
7.5
None Remote Low Not required Partial Partial Partial
The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php.
43 CVE-2014-2023 89 1 Exec Code Sql 2017-10-26 2017-11-15
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
44 CVE-2014-2277 284 +Info 2017-10-17 2020-02-04
3.6
None Local Low Not required Partial Partial None
The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.
45 CVE-2014-2664 434 Exec Code 2017-10-17 2017-11-08
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
46 CVE-2014-2903 310 2017-10-06 2017-10-17
4.3
None Remote Medium Not required Partial None None
CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake.
47 CVE-2014-3164 476 DoS 2017-10-18 2017-11-07
5.0
None Remote Low Not required None None Partial
cmds/servicemanager/service_manager.c in Android before commit 7d42a3c31ba78a418f9bdde0e0ab951469f321b5 allows attackers to cause a denial of service (NULL pointer dereference, or out-of-bounds write) via vectors related to binder passed lengths.
48 CVE-2014-3526 200 +Info 2017-10-30 2019-12-11
5.0
None Remote Low Not required Partial None None
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
49 CVE-2014-3531 79 XSS 2017-10-18 2017-10-27
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description.
50 CVE-2014-3579 611 2017-10-27 2019-03-27
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
Total number of vulnerabilities : 1339   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.