CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2017 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
751 CVE-2016-10703 20 DoS Bypass 2017-12-14 2021-03-30
7.8
None Remote Low Not required None None Complete
A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string.
752 CVE-2016-6914 276 +Priv 2017-12-27 2021-09-13
7.2
None Local Low Not required Complete Complete Complete
Ubiquiti UniFi Video before 3.8.0 for Windows uses weak permissions for the installation directory, which allows local users to gain SYSTEM privileges via a Trojan horse taskkill.exe file.
753 CVE-2016-5713 94 Exec Code 2017-12-06 2017-12-28
7.5
None Remote Low Not required Partial Partial Partial
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.
754 CVE-2016-1255 59 +Priv 2017-12-05 2017-12-21
7.2
None Local Low Not required Complete Complete Complete
The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2, in Ubuntu 14.04 LTS before 154ubuntu1.1, in Ubuntu 16.04 LTS before 173ubuntu0.1, in Ubuntu 17.04 before 179ubuntu0.1, and in Ubuntu 17.10 before 184ubuntu1.1 allows local users to gain root privileges via a symlink attack on a logfile in /var/log/postgresql.
755 CVE-2016-1254 119 DoS Overflow 2017-12-05 2018-10-30
5.0
None Remote Low Not required None None Partial
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor.
756 CVE-2016-1253 78 Exec Code 2017-12-05 2017-12-20
10.0
None Remote Low Not required Complete Complete Complete
The most package in Debian wheezy before 5.0.0a-2.2, in Debian jessie before 5.0.0a-2.3+deb8u1, and in Debian unstable before 5.0.0a-3 allows remote attackers to execute arbitrary commands via shell metacharacters in the name of an LZMA-compressed file.
757 CVE-2015-8008 284 Bypass 2017-12-29 2018-01-11
5.0
None Remote Low Not required Partial None None
The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API request with an existing token.
758 CVE-2015-7669 22 Dir. Trav. 2017-12-27 2019-05-07
7.5
None Remote Low Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in (1) includes/MapImportCSV2.php and (2) includes/MapImportCSV.php in the Easy2Map plugin before 1.3.0 for WordPress allow remote attackers to include and execute arbitrary files via the csvfile parameter related to "upload file functionality."
759 CVE-2015-7224 287 Bypass 2017-12-21 2018-01-09
7.5
None Remote Low Not required Partial Partial Partial
puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host with a netmask.
760 CVE-2015-6237 287 Bypass 2017-12-27 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 before 7.2.6 allows remote attackers to bypass authentication and (1) enumerate users, (2) reset passwords, or (3) manipulate IP filter restrictions via crafted "privileged commands."
761 CVE-2015-3637 89 Exec Code Sql 2017-12-28 2018-01-11
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters.
762 CVE-2015-3302 284 +Info 2017-12-29 2018-10-09
5.0
None Remote Low Not required Partial None None
The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by leveraging a "broken authentication mechanism."
763 CVE-2014-9515 502 Exec Code 2017-12-29 2021-06-14
7.5
None Remote Low Not required Partial Partial Partial
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
764 CVE-2014-8389 78 2017-12-28 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests.
765 CVE-2014-8358 426 +Priv 2017-12-11 2017-12-29
9.3
None Remote Medium Not required Complete Complete Complete
Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014) and before V200R003B015D02SP08C1014 (23.015.02.08.1014) use a weak ACL for the "Mobile Partner" directory, which allows remote attackers to gain SYSTEM privileges by compromising a low privilege account and modifying Mobile Partner.exe.
766 CVE-2014-8119 20 DoS 2017-12-29 2019-04-22
5.0
None Remote Low Not required None None Partial
The find_ifcfg_path function in netcf before 0.2.7 might allow attackers to cause a denial of service (application crash) via vectors involving augeas path expressions.
767 CVE-2014-4914 89 Sql 2017-12-29 2018-01-17
7.5
None Remote Low Not required Partial Partial Partial
The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
768 CVE-2014-3651 400 DoS 2017-12-29 2018-01-11
5.0
None Remote Low Not required None None Partial
JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.
769 CVE-2014-3630 611 DoS 2017-12-29 2019-11-25
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of service, or have unspecified other impact via crafted XML data.
770 CVE-2014-0121 287 Exec Code 2017-12-29 2018-01-11
7.5
None Remote Low Not required Partial Partial Partial
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.
771 CVE-2014-0120 352 CSRF 2017-12-29 2018-01-11
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."
772 CVE-2013-7400 200 +Info 2017-12-29 2019-10-21
5.0
None Remote Low Not required Partial None None
The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows remote attackers to obtain sensitive information by leveraging improper checking of authentication codes.
773 CVE-2013-4578 74 Bypass 2017-12-29 2018-01-17
5.0
None Remote Low Not required None Partial None
jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.
774 CVE-2012-2576 89 2 Exec Code Sql 2017-12-20 2018-01-11
10.0
None Remote Low Not required Complete Complete Complete
SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds Backup Profiler before 5.1.2 allows remote attackers to execute arbitrary SQL commands via the loginName field.
Total number of vulnerabilities : 774   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.