| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
51 |
CVE-2017-17777 |
287 |
|
Bypass |
2017-12-20 |
2018-01-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Paid To Read Script 2.0.5 has authentication bypass in the admin panel via a direct request, as demonstrated by the admin/viewvisitcamp.php fn parameter and the admin/userview.php uid parameter. |
|
52 |
CVE-2017-17763 |
311 |
|
|
2017-12-19 |
2020-02-04 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share feature, does not use HTTPS or any integrity-protection mechanism for file transfer, which makes it easier for remote attackers to send crafted files, as demonstrated by APK injection. |
|
53 |
CVE-2017-17761 |
|
|
|
2017-12-19 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered on Ichano AtHome IP Camera devices. The device runs the "noodles" binary - a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands. This binary requires the "system" XML element for specifying the command. For example, a <system>id</system> command results in a <system_ack>ok</system_ack> response. |
|
54 |
CVE-2017-17759 |
|
|
DoS +Info |
2017-12-19 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request (which reaches an older version of a West Wind Web Connection HTTP service). |
|
55 |
CVE-2017-17758 |
78 |
|
Exec Code |
2017-12-19 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd. |
|
56 |
CVE-2017-17757 |
78 |
|
Exec Code |
2017-12-19 |
2019-10-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/wportal command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/wportal.lua in uhttpd. |
|
57 |
CVE-2017-17746 |
306 |
|
|
2017-12-20 |
2019-10-03 |
7.7 |
None |
Local Network |
Low |
??? |
Complete |
Complete |
Complete |
|
Weak access control methods on the TP-Link TL-SG108E 1.0.0 allow any user on a NAT network with an authenticated administrator to access the device without entering user credentials. The authentication record is stored on the device; thus if an administrator authenticates from a NAT network, the authentication applies to the IP address of the NAT gateway, and any user behind that NAT gateway is also treated as authenticated. |
|
58 |
CVE-2017-17739 |
22 |
|
Dir. Trav. |
2017-12-18 |
2018-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) has directory traversal via the /storage.html rp parameter, allowing an attacker to read or write to files. |
|
59 |
CVE-2017-17733 |
|
|
Exec Code |
2017-12-18 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request. |
|
60 |
CVE-2017-17731 |
89 |
|
Sql |
2017-12-18 |
2018-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php. |
|
61 |
CVE-2017-17730 |
89 |
|
Sql |
2017-12-18 |
2018-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/flink_add.php. |
|
62 |
CVE-2017-17721 |
89 |
|
Sql |
2017-12-18 |
2019-03-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allows SQL injection via the tradestatus, assetno, assignto, building, domain, jobtype, site, trade, woType, workorderno, or workorderstatus parameter. |
|
63 |
CVE-2017-17717 |
327 |
|
|
2017-12-17 |
2018-01-04 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature. |
|
64 |
CVE-2017-17713 |
89 |
|
Sql |
2017-12-16 |
2018-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, the /register lat parameter, the /register lon parameter, the /register org parameter, the /register query parameter, the /register region parameter, the /register regionName parameter, the /register timezone parameter, the /register vId parameter, the /register zip parameter, or the /tping id parameter. |
|
65 |
CVE-2017-17701 |
476 |
|
|
2017-12-15 |
2017-12-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025c8 DeviceIoControl request. |
|
66 |
CVE-2017-17700 |
476 |
|
|
2017-12-15 |
2017-12-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025a4 DeviceIoControl request. |
|
67 |
CVE-2017-17699 |
476 |
|
|
2017-12-15 |
2017-12-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer dereference via a 0x950025ac DeviceIoControl request. |
|
68 |
CVE-2017-17684 |
119 |
|
Overflow |
2017-12-14 |
2017-12-21 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c04 \\.\PSMEMDriver DeviceIoControl request. |
|
69 |
CVE-2017-17683 |
119 |
|
Overflow |
2017-12-14 |
2017-12-21 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c44 \\.\PSMEMDriver DeviceIoControl request. |
|
70 |
CVE-2017-17682 |
400 |
|
DoS |
2017-12-14 |
2020-09-08 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call. |
|
71 |
CVE-2017-17681 |
835 |
|
DoS |
2017-12-14 |
2020-08-19 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in the function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted psd image file. |
|
72 |
CVE-2017-17672 |
502 |
|
Exec Code |
2017-12-14 |
2018-01-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. This is exploited with the templateidlist parameter to ajax/api/template/cacheTemplates. |
|
73 |
CVE-2017-17671 |
22 |
|
Exec Code Dir. Trav. |
2017-12-14 |
2020-08-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
vBulletin through 5.3.x on Windows allows remote PHP code execution because a require_once call is reachable with an unauthenticated request that can include directory traversal sequences to specify an arbitrary pathname, and because ../ traversal is blocked but ..\ traversal is not blocked. For example, an attacker can make an invalid HTTP request containing PHP code, and then make an index.php?routestring= request with enough instances of ".." to reach an Apache HTTP Server log file. |
|
74 |
CVE-2017-17651 |
89 |
|
Sql |
2017-12-18 |
2018-01-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php uid parameter, the admin/viewemcamp.php fnum parameter, or the admin/viewvisitcamp.php fn parameter. |
|
75 |
CVE-2017-17648 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_result.php marital, gender, country, or profileid parameter. |
|
76 |
CVE-2017-17645 |
89 |
|
Sql |
2017-12-18 |
2018-01-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Bus Booking Script 1.0 has SQL Injection via the txtname parameter to admin/index.php. |
|
77 |
CVE-2017-17643 |
89 |
|
Sql |
2017-12-18 |
2020-09-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tutorial/. |
|
78 |
CVE-2017-17642 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Basic Job Site Script 2.0.5 has SQL Injection via the keyword parameter to /job. |
|
79 |
CVE-2017-17641 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Resume Clone Script 2.0.5 has SQL Injection via the preview.php id parameter. |
|
80 |
CVE-2017-17640 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Advanced World Database 2.0.5 has SQL Injection via the city.php country or state parameter, or the state.php country parameter. |
|
81 |
CVE-2017-17639 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Muslim Matrimonial Script 3.02 has SQL Injection via the success-story.php succid parameter. |
|
82 |
CVE-2017-17638 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php state_id parameter. |
|
83 |
CVE-2017-17637 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val parameter. |
|
84 |
CVE-2017-17636 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newid parameter. |
|
85 |
CVE-2017-17635 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_detail.php newid parameter or the event_detail.php eventid parameter. |
|
86 |
CVE-2017-17634 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Single Theater Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. |
|
87 |
CVE-2017-17633 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the trailer-detail.php moid parameter, show-time.php moid parameter, or event-detail.php eid parameter. |
|
88 |
CVE-2017-17632 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Injection via the findcity.php q parameter. |
|
89 |
CVE-2017-17631 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the success-story.php succid parameter. |
|
90 |
CVE-2017-17630 |
89 |
|
Sql |
2017-12-13 |
2017-12-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Yoga Class Script 1.0 has SQL Injection via the /list city parameter. |
|
91 |
CVE-2017-17629 |
89 |
|
Sql |
2017-12-13 |
2017-12-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Secure E-commerce Script 2.0.1 has SQL Injection via the category.php searchmain or searchcat parameter, or the single_detail.php sid parameter. |
|
92 |
CVE-2017-17628 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Responsive Realestate Script 3.2 has SQL Injection via the property-list tbud parameter. |
|
93 |
CVE-2017-17627 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Readymade Video Sharing Script 3.2 has SQL Injection via the single-video-detail.php report_videos array parameter. |
|
94 |
CVE-2017-17626 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Readymade PHP Classified Script 3.3 has SQL Injection via the /categories subctid or mctid parameter. |
|
95 |
CVE-2017-17625 |
89 |
|
Sql |
2017-12-13 |
2020-03-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Professional Service Script 1.0 has SQL Injection via the service-list city parameter. |
|
96 |
CVE-2017-17624 |
89 |
|
Sql |
2017-12-13 |
2018-01-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail.php sid parameter, or the category.php searchcat or chid1 parameter. |
|
97 |
CVE-2017-17623 |
89 |
|
Sql |
2017-12-13 |
2017-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Opensource Classified Ads Script 3.2 has SQL Injection via the advance_result.php keyword parameter. |
|
98 |
CVE-2017-17622 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Online Exam Test Application Script 1.6 has SQL Injection via the exams.php sort parameter. |
|
99 |
CVE-2017-17621 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the PATH_INFO to the /detail URI. |
|
100 |
CVE-2017-17620 |
89 |
|
Sql |
2017-12-13 |
2017-12-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city parameter. |
