| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2006-5331 |
19 |
|
DoS |
2017-10-29 |
2017-11-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction. |
|
2 |
CVE-2008-7315 |
77 |
|
Exec Code |
2017-10-10 |
2017-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
UI-Dialog 1.09 and earlier allows remote attackers to execute arbitrary commands. |
|
3 |
CVE-2009-1197 |
20 |
|
|
2017-10-30 |
2017-11-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache jUDDI before 2.0 allows attackers to spoof entries in log files via vectors related to error logging of keys from uddiget.jsp. |
|
4 |
CVE-2009-1198 |
79 |
|
XSS |
2017-10-30 |
2017-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Apache jUDDI before 2.0 allows remote attackers to inject arbitrary web script or HTML via the dsname parameter to happyjuddi.jsp. |
|
5 |
CVE-2010-2232 |
284 |
|
|
2017-10-23 |
2017-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In Apache Derby 10.1.2.1, 10.2.2.0, 10.3.1.4, and 10.4.1.3, Export processing may allow an attacker to overwrite an existing file. |
|
6 |
CVE-2011-1935 |
|
|
|
2017-10-20 |
2021-06-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
pcap-linux.c in libpcap 1.1.1 before commit ea9432fabdf4b33cbc76d9437200e028f1c47c93 when snaplen is set may truncate packets, which might allow remote attackers to send arbitrary data while avoiding detection via crafted packets. |
|
7 |
CVE-2011-2683 |
254 |
|
|
2017-10-23 |
2017-11-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
reseed seeds random numbers from an insecure HTTP request to random.org during installation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a man-in-the-middle attack. |
|
8 |
CVE-2011-4333 |
79 |
|
XSS |
2017-10-23 |
2019-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in LabWiki 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) from parameter to index.php or the (2) page_no parameter to recentchanges.php. |
|
9 |
CVE-2011-4334 |
434 |
|
|
2017-10-23 |
2017-10-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
edit.php in LabWiki 1.1 and earlier does not properly verify uploaded user files, which allows remote authenticated users to upload arbitrary PHP files via a PHP file with a .gif extension in the userfile parameter. |
|
10 |
CVE-2012-0881 |
399 |
|
DoS |
2017-10-30 |
2021-09-28 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. |
|
11 |
CVE-2012-1622 |
|
|
Exec Code |
2017-10-26 |
2017-11-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. |
|
12 |
CVE-2012-4377 |
79 |
|
XSS |
2017-10-26 |
2017-10-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image. |
|
13 |
CVE-2012-4378 |
79 |
|
XSS |
2017-10-26 |
2017-10-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index.php. |
|
14 |
CVE-2012-4379 |
284 |
|
|
2017-10-19 |
2017-10-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element. |
|
15 |
CVE-2012-4380 |
284 |
|
Bypass |
2017-10-19 |
2017-10-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors. |
|
16 |
CVE-2012-4382 |
200 |
|
+Info |
2017-10-19 |
2017-10-31 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt. |
|
17 |
CVE-2012-4449 |
327 |
|
|
2017-10-30 |
2017-11-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack. |
|
18 |
CVE-2012-4567 |
79 |
|
XSS |
2017-10-23 |
2017-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in (1) inc/inc.ClassUI.php or (2) out/out.DocumentNotify.php. |
|
19 |
CVE-2012-4568 |
352 |
|
CSRF |
2017-10-23 |
2017-11-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) before 3.3.8 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
20 |
CVE-2012-4569 |
79 |
|
XSS |
2017-10-23 |
2017-11-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in out/out.UsrMgr.php in LetoDMS (formerly MyDMS) before 3.3.9 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
21 |
CVE-2012-4570 |
89 |
|
Exec Code Sql |
2017-10-23 |
2017-11-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in LetoDMS_Core/Core/inc.ClassDMS.php in LetoDMS (formerly MyDMS) before 3.3.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
22 |
CVE-2012-5357 |
19 |
|
Exec Code |
2017-10-30 |
2017-11-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Ektron Content Management System (CMS) before 8.02 SP5 uses the XslCompiledTransform class with enablescript set to true, which allows remote attackers to execute arbitrary code with NETWORK SERVICE privileges via crafted XSL data. |
|
23 |
CVE-2012-5358 |
19 |
|
DoS Bypass |
2017-10-30 |
2017-11-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The XSLTCompiledTransform function in Ektron Content Management System (CMS) before 8.02 SP5 configures the XSL with enableDocumentFunction set to true, which allows remote attackers to read arbitrary files and consequently bypass authentication, modify viewstate, cause a denial of service, or possibly have unspecified other impact via crafted XSL data. |
|
24 |
CVE-2012-5636 |
79 |
|
XSS |
2017-10-30 |
2017-11-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response. |
|
25 |
CVE-2012-6707 |
326 |
|
|
2017-10-19 |
2017-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. |
|
26 |
CVE-2013-3734 |
255 |
|
+Info |
2017-10-24 |
2017-11-17 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
** DISPUTED ** The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain sensitive information by reading the HTML source code. NOTE: the vendor says that this does not cross a trust boundary and that it is recommended best-practice that SSL is configured for the administrative console. |
|
27 |
CVE-2013-4246 |
284 |
|
DoS +Info |
2017-10-30 |
2017-11-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties. |
|
28 |
CVE-2013-4366 |
20 |
|
|
2017-10-30 |
2020-07-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification. |
|
29 |
CVE-2013-6049 |
20 |
|
|
2017-10-20 |
2017-11-08 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
apt-listbugs before 0.1.10 creates temporary files insecurely, which allows attackers to have unspecified impact via unknown vectors. |
|
30 |
CVE-2013-6924 |
77 |
|
Exec Code |
2017-10-11 |
2017-11-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php. |
|
31 |
CVE-2013-7377 |
77 |
|
Exec Code |
2017-10-23 |
2017-11-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The codem-transcode module before 0.5.0 for Node.js, when ffprobe is enabled, allows remote attackers to execute arbitrary commands via a POST request to /probe. |
|
32 |
CVE-2014-0029 |
79 |
|
XSS |
2017-10-16 |
2017-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
33 |
CVE-2014-0030 |
611 |
|
|
2017-10-10 |
2019-05-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. |
|
34 |
CVE-2014-0043 |
200 |
|
+Info |
2017-10-03 |
2017-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. |
|
35 |
CVE-2014-0047 |
|
|
|
2017-10-06 |
2017-10-13 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. |
|
36 |
CVE-2014-0072 |
20 |
|
|
2017-10-30 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. |
|
37 |
CVE-2014-0073 |
264 |
|
+Priv |
2017-10-30 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. |
|
38 |
CVE-2014-0115 |
22 |
|
Dir. Trav. |
2017-10-30 |
2017-11-15 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log. |
|
39 |
CVE-2014-0691 |
331 |
|
Bypass |
2017-10-24 |
2017-11-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643. |
|
40 |
CVE-2014-1203 |
77 |
|
Exec Code |
2017-10-24 |
2019-12-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php. |
|
41 |
CVE-2014-2023 |
89 |
1
|
Exec Code Sql |
2017-10-26 |
2017-11-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/. |
|
42 |
CVE-2014-2664 |
434 |
|
Exec Code |
2017-10-17 |
2017-11-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. |
|
43 |
CVE-2014-2903 |
310 |
|
|
2017-10-06 |
2017-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake. |
|
44 |
CVE-2014-3164 |
476 |
|
DoS |
2017-10-18 |
2017-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
cmds/servicemanager/service_manager.c in Android before commit 7d42a3c31ba78a418f9bdde0e0ab951469f321b5 allows attackers to cause a denial of service (NULL pointer dereference, or out-of-bounds write) via vectors related to binder passed lengths. |
|
45 |
CVE-2014-3526 |
200 |
|
+Info |
2017-10-30 |
2019-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions. |
|
46 |
CVE-2014-3579 |
611 |
|
|
2017-10-27 |
2019-03-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. |
|
47 |
CVE-2014-3600 |
611 |
|
|
2017-10-27 |
2019-03-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. |
|
48 |
CVE-2014-3624 |
284 |
|
Bypass |
2017-10-30 |
2017-11-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. |
|
49 |
CVE-2014-3702 |
22 |
|
DoS Dir. Trav. |
2017-10-16 |
2017-11-07 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot dot) the session parameter. |
|
50 |
CVE-2014-3706 |
295 |
|
|
2017-10-18 |
2017-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates. |
