CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2017 (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2017-17777 287 Bypass 2017-12-20 2018-01-12
7.5
None Remote Low Not required Partial Partial Partial
Paid To Read Script 2.0.5 has authentication bypass in the admin panel via a direct request, as demonstrated by the admin/viewvisitcamp.php fn parameter and the admin/userview.php uid parameter.
52 CVE-2017-17763 311 2017-12-19 2020-02-04
7.6
None Remote High Not required Complete Complete Complete
SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection.
53 CVE-2017-17761 2017-12-19 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on Ichano AtHome IP Camera devices. The device runs the "noodles" binary - a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands. This binary requires the "system" XML element for specifying the command. For example, a <system>id</system> command results in a <system_ack>ok</system_ack> response.
54 CVE-2017-17759 DoS +Info 2017-12-19 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request (which reaches an older version of a West Wind Web Connection HTTP service).
55 CVE-2017-17758 78 Exec Code 2017-12-19 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd.
56 CVE-2017-17757 78 Exec Code 2017-12-19 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/wportal command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/wportal.lua in uhttpd.
57 CVE-2017-17746 306 2017-12-20 2019-10-03
7.7
None Local Network Low ??? Complete Complete Complete
Weak access control methods on the TP-Link TL-SG108E 1.0.0 allow any user on a NAT network with an authenticated administrator to access the device without entering user credentials. The authentication record is stored on the device; thus if an administrator authenticates from a NAT network, the authentication applies to the IP address of the NAT gateway, and any user behind that NAT gateway is also treated as authenticated.
58 CVE-2017-17739 22 Dir. Trav. 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files.
59 CVE-2017-17733 Exec Code 2017-12-18 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request.
60 CVE-2017-17731 89 Sql 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
61 CVE-2017-17730 89 Sql 2017-12-18 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php.
62 CVE-2017-17721 89 Sql 2017-12-18 2019-03-21
7.5
None Remote Low Not required Partial Partial Partial
CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter.
63 CVE-2017-17717 327 2017-12-17 2018-01-04
10.0
None Remote Low Not required Complete Complete Complete
Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature.
64 CVE-2017-17713 89 Sql 2017-12-16 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, the /register lat parameter, the /register lon parameter, the /register org parameter, the /register query parameter, the /register region parameter, the /register regionName parameter, the /register timezone parameter, the /register vId parameter, the /register zip parameter, or the /tping id parameter.
65 CVE-2017-17701 476 2017-12-15 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025c8 DeviceIoControl request.
66 CVE-2017-17700 476 2017-12-15 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025a4 DeviceIoControl request.
67 CVE-2017-17699 476 2017-12-15 2017-12-20
7.5
None Remote Low Not required Partial Partial Partial
K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025ac DeviceIoControl request.
68 CVE-2017-17684 119 Overflow 2017-12-14 2017-12-21
7.8
None Remote Low Not required None None Complete
Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c04 \\.\PSMEMDriver DeviceIoControl request.
69 CVE-2017-17683 119 Overflow 2017-12-14 2017-12-21
7.8
None Remote Low Not required None None Complete
Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c44 \\.\PSMEMDriver DeviceIoControl request.
70 CVE-2017-17682 400 DoS 2017-12-14 2020-09-08
7.1
None Remote Medium Not required None None Complete
In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call.
71 CVE-2017-17681 835 DoS 2017-12-14 2020-08-19
7.1
None Remote Medium Not required None None Complete
In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in the function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted psd image file.
72 CVE-2017-17672 502 Exec Code 2017-12-14 2018-01-02
7.5
None Remote Low Not required Partial Partial Partial
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates.
73 CVE-2017-17671 22 Exec Code Dir. Trav. 2017-12-14 2020-08-14
7.5
None Remote Low Not required Partial Partial Partial
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file.
74 CVE-2017-17651 89 Sql 2017-12-18 2018-01-02
7.5
None Remote Low Not required Partial Partial Partial
Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter.
75 CVE-2017-17648 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter.
76 CVE-2017-17645 89 Sql 2017-12-18 2018-01-05
7.5
None Remote Low Not required Partial Partial Partial
Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php.
77 CVE-2017-17643 89 Sql 2017-12-18 2020-09-29
7.5
None Remote Low Not required Partial Partial Partial
FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/.
78 CVE-2017-17642 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job.
79 CVE-2017-17641 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter.
80 CVE-2017-17640 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter.
81 CVE-2017-17639 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter.
82 CVE-2017-17638 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter.
83 CVE-2017-17637 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter.
84 CVE-2017-17636 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter.
85 CVE-2017-17635 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter.
86 CVE-2017-17634 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
87 CVE-2017-17633 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter.
88 CVE-2017-17632 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter.
89 CVE-2017-17631 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter.
90 CVE-2017-17630 89 Sql 2017-12-13 2017-12-22
7.5
None Remote Low Not required Partial Partial Partial
Yoga Class Script 1.0 has SQL Injection via the /list city parameter.
91 CVE-2017-17629 89 Sql 2017-12-13 2017-12-22
7.5
None Remote Low Not required Partial Partial Partial
Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter.
92 CVE-2017-17628 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter.
93 CVE-2017-17627 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter.
94 CVE-2017-17626 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter.
95 CVE-2017-17625 89 Sql 2017-12-13 2020-03-10
7.5
None Remote Low Not required Partial Partial Partial
Professional Service Script 1.0 has SQL Injection via the service-list city parameter.
96 CVE-2017-17624 89 Sql 2017-12-13 2018-01-02
7.5
None Remote Low Not required Partial Partial Partial
PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter.
97 CVE-2017-17623 89 Sql 2017-12-13 2017-12-29
7.5
None Remote Low Not required Partial Partial Partial
Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter.
98 CVE-2017-17622 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter.
99 CVE-2017-17621 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI.
100 CVE-2017-17620 89 Sql 2017-12-13 2017-12-26
7.5
None Remote Low Not required Partial Partial Partial
Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter.
Total number of vulnerabilities : 444   Page : 1 2 (This Page)3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.