CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2017-1000030 287 2017-07-17 2017-07-21
5.0
None Remote Low Not required Partial None None
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain text password of administrative user and grant access to the web-based administration interface.
52 CVE-2017-1000029 200 +Info File Inclusion 2017-07-17 2017-07-21
5.0
None Remote Low Not required Partial None None
Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any prior authentication.
53 CVE-2017-1000028 22 Dir. Trav. 2017-07-17 2019-05-03
5.0
None Remote Low Not required Partial None None
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
54 CVE-2017-1000027 601 2017-07-17 2017-07-21
5.8
None Remote Medium Not required Partial Partial None
Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access.
55 CVE-2017-1000026 22 Dir. Trav. 2017-07-17 2021-04-30
5.0
None Remote Low Not required None Partial None
Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using ".." in tar archive entries
56 CVE-2017-1000025 200 +Info 2017-07-17 2017-08-04
5.0
None Remote Low Not required Partial None None
GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 before 3.20.7, 3.18 before 3.18.11, and prior versions, is vulnerable to a password manager sweep attack resulting in the remote exfiltration of stored passwords for a selected set of websites.
57 CVE-2017-1000024 319 2017-07-17 2019-10-03
5.0
None Remote Low Not required Partial None None
Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission
58 CVE-2017-1000023 79 XSS 2017-07-17 2019-03-14
3.5
None Remote Medium ??? None Partial None
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS when using preview on HTML document.
59 CVE-2017-1000022 732 2017-07-17 2019-10-03
6.5
None Remote Low ??? Partial Partial Partial
LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect access control which could leave to privilege escalation.
60 CVE-2017-1000021 611 2017-07-17 2019-03-14
6.5
None Remote Low ??? Partial Partial Partial
LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when indexing XML documents.
61 CVE-2017-1000020 287 Bypass 2017-07-17 2017-08-15
10.0
None Remote Low Not required Complete Complete Complete
SYN Flood or FIN Flood attack in ECos 1 and other versions embedded devices results in web Authentication Bypass. "eCos Embedded Web Servers used by Multiple Routers and Home devices, while sending SYN Flood or FIN Flood packets fails to validate and handle the packets and does not ask for any sign of authentication resulting in Authentication Bypass. An attacker can take complete advantage of this bug and take over the device remotely or locally. The bug has been successfully tested and reproduced in some versions of SOHO Routers manufactured by TOTOLINK, GREATEK and others."
62 CVE-2017-1000018 20 2017-07-17 2019-03-20
5.0
None Remote Low Not required None None Partial
phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the replication status by using a specially crafted table name
63 CVE-2017-1000017 918 2017-07-17 2019-03-25
6.5
None Remote Low ??? Partial Partial Partial
phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server
64 CVE-2017-1000016 20 2017-07-17 2017-07-26
5.0
None Remote Low Not required None Partial None
A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18.
65 CVE-2017-1000015 79 XSS 2017-07-17 2019-03-20
4.3
None Remote Medium Not required None Partial None
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack through crafted cookie parameters
66 CVE-2017-1000014 20 2017-07-17 2019-03-19
5.0
None Remote Low Not required None None Partial
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the table editing functionality
67 CVE-2017-1000013 601 2017-07-17 2019-03-19
5.8
None Remote Medium Not required Partial Partial None
phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakness
68 CVE-2017-1000012 79 XSS 2017-07-17 2017-08-15
4.3
None Remote Medium Not required None Partial None
MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying the data in the database to the user
69 CVE-2017-1000011 79 XSS 2017-07-17 2017-07-20
4.3
None Remote Medium Not required None Partial None
MyWebSQL version 3.6 is vulnerable to stored XSS in the database manager component resulting in account takeover or stealing of information
70 CVE-2017-1000010 427 Exec Code 2017-07-17 2020-08-03
6.8
None Remote Medium Not required Partial Partial Partial
Audacity 2.1.2 through 2.3.2 is vulnerable to Dll HIjacking in the avformat-55.dll resulting arbitrary code execution.
71 CVE-2017-1000009 78 2017-07-17 2020-08-05
7.5
None Remote Low Not required Partial Partial Partial
Akeneo PIM CE and EE <1.6.6, <1.5.15, <1.4.28 are vulnerable to shell injection in the mass edition, resulting in remote execution.
72 CVE-2017-1000008 352 CSRF 2017-07-17 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user settings function allowing attackers to hijack the authentication of logged in users to modify account information, including their password.
73 CVE-2017-1000007 200 +Info 2017-07-17 2017-08-04
4.3
None Remote Medium Not required Partial None None
txAWS (all current versions) fail to perform complete certificate verification resulting in vulnerability to MitM attacks and information disclosure.
74 CVE-2017-1000006 79 XSS 2017-07-17 2017-07-27
4.3
None Remote Medium Not required None Partial None
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue.
75 CVE-2017-1000005 79 XSS 2017-07-17 2017-07-21
4.3
None Remote Medium Not required None Partial None
PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the name of databases, tables and columns resulting in potential account takeover and scraping of data (stealing data).
76 CVE-2017-1000004 89 Exec Code Sql 2017-07-17 2017-08-04
7.5
None Remote Low Not required Partial Partial Partial
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
77 CVE-2017-1000003 269 2017-07-17 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation.
78 CVE-2017-1000002 22 Exec Code Dir. Trav. Bypass 2017-07-17 2017-07-27
7.5
None Remote Low Not required Partial Partial Partial
ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure.
79 CVE-2017-1000001 20 2017-07-17 2017-07-26
5.0
None Remote Low Not required None Partial None
FedMsg 0.18.1 and older is vulnerable to a message validation flaw resulting in message validation not being enabled if configured to be on.
80 CVE-2017-11760 94 Exec Code 2017-07-31 2017-08-09
6.5
None Remote Low ??? Partial Partial Partial
uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area.
81 CVE-2017-11757 191 Exec Code Overflow 2017-07-31 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code via crafted traffic to TCP port 1583. The overflow occurs after Server-Client encryption-key exchange. The issue results from an integer underflow that leads to a zero-byte allocation. The _srvLnaConnectMP1 function is affected.
82 CVE-2017-11756 434 Exec Code 2017-07-30 2017-08-04
6.0
None Remote Medium ??? Partial Partial Partial
In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and .m4a in admin.php?iframe=config_upload, and then using user.php/music/add/ to upload the code.
83 CVE-2017-11755 772 DoS 2017-07-30 2019-10-03
4.3
None Remote Medium Not required None None Partial
The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file that is mishandled in an AcquireSemaphoreInfo call.
84 CVE-2017-11754 772 DoS 2017-07-30 2019-10-03
4.3
None Remote Medium Not required None None Partial
The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file that is mishandled in an OpenPixelCache call.
85 CVE-2017-11753 125 DoS 2017-07-30 2017-08-02
4.3
None Remote Medium Not required None None Partial
The GetImageDepth function in MagickCore/attribute.c in ImageMagick 7.0.6-4 might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted Flexible Image Transport System (FITS) file.
86 CVE-2017-11752 772 DoS 2017-07-30 2019-10-03
4.3
None Remote Medium Not required None None Partial
The ReadMAGICKImage function in coders/magick.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file.
87 CVE-2017-11751 772 DoS 2017-07-30 2019-10-03
4.3
None Remote Medium Not required None None Partial
The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 allows remote attackers to cause a denial of service (memory leak) via a crafted file.
88 CVE-2017-11750 476 DoS 2017-07-30 2017-08-02
4.3
None Remote Medium Not required None None Partial
The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 and 7.0.6-4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
89 CVE-2017-11749 426 2017-07-30 2020-09-23
6.8
None Remote Medium Not required Partial Partial Partial
InternetSoft FTP Commander 8.02 and prior has an untrusted search path, allowing DLL hijacking via a Trojan horse dwmapi.dll file.
90 CVE-2017-11748 426 2017-07-30 2017-08-09
6.8
None Remote Medium Not required Partial Partial Partial
VIT Spider Player 2.5.3 has an untrusted search path, allowing DLL hijacking via a Trojan horse dwmapi.dll, olepro32.dll, dsound.dll, or AUDIOSES.dll file.
91 CVE-2017-11747 269 Exec Code 2017-07-30 2020-03-31
2.1
None Local Low Not required None None Partial
main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tinyproxy.pid modification before a root script executes a "kill `cat /run/tinyproxy/tinyproxy.pid`" command.
92 CVE-2017-11746 552 Exec Code 2017-07-30 2019-10-03
7.8
None Remote Low Not required None None Complete
Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tenshi.pid modification before a root script executes a "kill `cat /pathname/tenshi.pid`" command.
93 CVE-2017-11744 79 XSS 2017-07-30 2017-08-02
4.3
None Remote Medium Not required None Partial None
In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module.
94 CVE-2017-11743 798 2017-07-31 2017-08-15
7.5
None Remote Low Not required Partial Partial Partial
MEDHOST Connex contains a hard-coded Mirth Connect admin credential that is used for customer Mirth Connect management access. An attacker with knowledge of the hard-coded credential and the ability to communicate directly with the Mirth Connect management console may be able to intercept sensitive patient information. The admin account password is hard-coded as $K8t1ng throughout the application, and is the same across all installations. Customers do not have the option to change the Mirth Connect admin account password. The Mirth Connect admin account is created during the Connex install. The plaintext account password is hard-coded multiple times in the Connex install and update scripts.
95 CVE-2017-11742 426 +Priv 2017-07-30 2017-08-09
4.6
None Local Low Not required Partial Partial Partial
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking.
96 CVE-2017-11737 79 XSS 2017-07-29 2017-08-02
4.3
None Remote Medium Not required None Partial None
interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS via the Subject and Message-Id headers, which are mishandled in the history page.
97 CVE-2017-11736 89 Exec Code Sql 2017-07-29 2017-08-02
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter.
98 CVE-2017-11735 476 DoS 2017-07-31 2017-08-11
4.3
None Remote Medium Not required None None Partial
The vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ogg file.
99 CVE-2017-11734 125 DoS 2017-07-29 2019-10-03
4.3
None Remote Medium Not required None None Partial
A heap-based buffer over-read was found in the function decompileCALLFUNCTION in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file.
100 CVE-2017-11733 476 DoS 2017-07-29 2019-04-26
4.3
None Remote Medium Not required None None Partial
A null pointer dereference vulnerability was found in the function stackswap (called from decompileSTACKSWAP) in util/decompile.c in Ming 0.4.8, which allows attackers to cause a denial of service via a crafted file.
Total number of vulnerabilities : 1280   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.