| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
51 |
CVE-2017-1000030 |
287 |
|
|
2017-07-17 |
2017-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain text password of administrative user and grant access to the web-based administration interface. |
|
52 |
CVE-2017-1000029 |
200 |
|
+Info File Inclusion |
2017-07-17 |
2017-07-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication. |
|
53 |
CVE-2017-1000028 |
22 |
|
Dir. Trav. |
2017-07-17 |
2019-05-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. |
|
54 |
CVE-2017-1000027 |
601 |
|
|
2017-07-17 |
2017-07-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access. |
|
55 |
CVE-2017-1000026 |
22 |
|
Dir. Trav. |
2017-07-17 |
2021-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using ".." in tar archive entries |
|
56 |
CVE-2017-1000025 |
200 |
|
+Info |
2017-07-17 |
2017-08-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 before 3.20.7, 3.18 before 3.18.11, and prior versions, is vulnerable to a password manager sweep attack resulting in the remote exfiltration of stored passwords for a selected set of websites. |
|
57 |
CVE-2017-1000024 |
319 |
|
|
2017-07-17 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission |
|
58 |
CVE-2017-1000023 |
79 |
|
XSS |
2017-07-17 |
2019-03-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document. |
|
59 |
CVE-2017-1000022 |
732 |
|
|
2017-07-17 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect access control which could leave to privilege escalation. |
|
60 |
CVE-2017-1000021 |
611 |
|
|
2017-07-17 |
2019-03-14 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents. |
|
61 |
CVE-2017-1000020 |
287 |
|
Bypass |
2017-07-17 |
2017-08-15 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others." |
|
62 |
CVE-2017-1000018 |
20 |
|
|
2017-07-17 |
2019-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name |
|
63 |
CVE-2017-1000017 |
918 |
|
|
2017-07-17 |
2019-03-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server |
|
64 |
CVE-2017-1000016 |
20 |
|
|
2017-07-17 |
2017-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18. |
|
65 |
CVE-2017-1000015 |
79 |
|
XSS |
2017-07-17 |
2019-03-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters |
|
66 |
CVE-2017-1000014 |
20 |
|
|
2017-07-17 |
2019-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality |
|
67 |
CVE-2017-1000013 |
601 |
|
|
2017-07-17 |
2019-03-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness |
|
68 |
CVE-2017-1000012 |
79 |
|
XSS |
2017-07-17 |
2017-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user |
|
69 |
CVE-2017-1000011 |
79 |
|
XSS |
2017-07-17 |
2017-07-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information |
|
70 |
CVE-2017-1000010 |
427 |
|
Exec Code |
2017-07-17 |
2020-08-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Audacity 2.1.2 through 2.3.2 is vulnerable to Dll HIjacking in the avformat-55.dll resulting arbitrary code execution. |
|
71 |
CVE-2017-1000009 |
78 |
|
|
2017-07-17 |
2020-08-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Akeneo PIM CE and EE <1.6.6, <1.5.15, <1.4.28 are vulnerable to shell injection in the mass edition, resulting in remote execution. |
|
72 |
CVE-2017-1000008 |
352 |
|
CSRF |
2017-07-17 |
2017-08-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user settings function allowing attackers to hijack the authentication of logged in users to modify account information, including their password. |
|
73 |
CVE-2017-1000007 |
200 |
|
+Info |
2017-07-17 |
2017-08-04 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
txAWS (all current versions) fail to perform complete certificate verification resulting in vulnerability to MitM attacks and information disclosure. |
|
74 |
CVE-2017-1000006 |
79 |
|
XSS |
2017-07-17 |
2017-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue. |
|
75 |
CVE-2017-1000005 |
79 |
|
XSS |
2017-07-17 |
2017-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data). |
|
76 |
CVE-2017-1000004 |
89 |
|
Exec Code Sql |
2017-07-17 |
2017-08-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution. |
|
77 |
CVE-2017-1000003 |
269 |
|
|
2017-07-17 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation. |
|
78 |
CVE-2017-1000002 |
22 |
|
Exec Code Dir. Trav. Bypass |
2017-07-17 |
2017-07-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure. |
|
79 |
CVE-2017-1000001 |
20 |
|
|
2017-07-17 |
2017-07-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
FedMsg 0.18.1 and older is vulnerable to a message validation flaw resulting in message validation not being enabled if configured to be on. |
|
80 |
CVE-2017-11760 |
94 |
|
Exec Code |
2017-07-31 |
2017-08-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area. |
|
81 |
CVE-2017-11757 |
191 |
|
Exec Code Overflow |
2017-07-31 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code via crafted traffic to TCP port 1583. The overflow occurs after Server-Client encryption-key exchange. The issue results from an integer underflow that leads to a zero-byte allocation. The _srvLnaConnectMP1 function is affected. |
|
82 |
CVE-2017-11756 |
434 |
|
Exec Code |
2017-07-30 |
2017-08-04 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and .m4a in admin.php?iframe=config_upload, and then using user.php/music/add/ to upload the code. |
|
83 |
CVE-2017-11755 |
772 |
|
DoS |
2017-07-30 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file that is mishandled in an AcquireSemaphoreInfo call. |
|
84 |
CVE-2017-11754 |
772 |
|
DoS |
2017-07-30 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file that is mishandled in an OpenPixelCache call. |
|
85 |
CVE-2017-11753 |
125 |
|
DoS |
2017-07-30 |
2017-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The GetImageDepth function in MagickCore/attribute.c in ImageMagick 7.0.6-4 might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted Flexible Image Transport System (FITS) file. |
|
86 |
CVE-2017-11752 |
772 |
|
DoS |
2017-07-30 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The ReadMAGICKImage function in coders/magick.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file. |
|
87 |
CVE-2017-11751 |
772 |
|
DoS |
2017-07-30 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file. |
|
88 |
CVE-2017-11750 |
476 |
|
DoS |
2017-07-30 |
2017-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 and 7.0.6-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. |
|
89 |
CVE-2017-11749 |
426 |
|
|
2017-07-30 |
2020-09-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
InternetSoft FTP Commander 8.02 and prior has an untrusted search path, allowing DLL hijacking via a Trojan horse dwmapi.dll file. |
|
90 |
CVE-2017-11748 |
426 |
|
|
2017-07-30 |
2017-08-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
VIT Spider Player 2.5.3 has an untrusted search path, allowing DLL hijacking via a Trojan horse dwmapi.dll, olepro32.dll, dsound.dll, or AUDIOSES.dll file. |
|
91 |
CVE-2017-11747 |
269 |
|
Exec Code |
2017-07-30 |
2020-03-31 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tinyproxy.pid modification before a root script executes a "kill `cat /run/tinyproxy/tinyproxy.pid`" command. |
|
92 |
CVE-2017-11746 |
552 |
|
Exec Code |
2017-07-30 |
2019-10-03 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a "kill `cat /pathname/tenshi.pid`" command. |
|
93 |
CVE-2017-11744 |
79 |
|
XSS |
2017-07-30 |
2017-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module. |
|
94 |
CVE-2017-11743 |
798 |
|
|
2017-07-31 |
2017-08-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An attacker with knowledge of the hard-coded credential and the ability to communicate directly with the Mirth Connect management console may be able to intercept sensitive patient information. The admin account password is hard-coded as $K8t1ng throughout the application, and is the same across all installations. Customers do not have the option to change the Mirth Connect admin account password. The Mirth Connect admin account is created during the Connex install. The plaintext account password is hard-coded multiple times in the Connex install and update scripts. |
|
95 |
CVE-2017-11742 |
426 |
|
+Priv |
2017-07-30 |
2017-08-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking. |
|
96 |
CVE-2017-11737 |
79 |
|
XSS |
2017-07-29 |
2017-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page. |
|
97 |
CVE-2017-11736 |
89 |
|
Exec Code Sql |
2017-07-29 |
2017-08-02 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. |
|
98 |
CVE-2017-11735 |
476 |
|
DoS |
2017-07-31 |
2017-08-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ogg file. |
|
99 |
CVE-2017-11734 |
125 |
|
DoS |
2017-07-29 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A heap-based buffer over-read was found in the function decompileCALLFUNCTION in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. |
|
100 |
CVE-2017-11733 |
476 |
|
DoS |
2017-07-29 |
2019-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
A null pointer dereference vulnerability was found in the function stackswap (called from decompileSTACKSWAP) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file. |
