CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2017 (CVSS score >= 4)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1151 CVE-2015-4422 119 DoS Overflow +Priv Mem. Corr. 2017-10-19 2017-11-08
7.6
None Remote High Not required Complete Complete Complete
The TEEOS module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users with root permissions to gain privileges or cause a denial of service (memory corruption) via a crafted application.
1152 CVE-2015-4421 119 DoS Overflow +Priv Mem. Corr. 2017-10-19 2017-11-07
7.6
None Remote High Not required Complete Complete Complete
The tzdriver module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users to gain privileges or cause a denial of service (memory corruption) via an unspecified input.
1153 CVE-2015-3321 264 +Priv 2017-10-03 2017-10-17
7.2
None Local Low Not required Complete Complete Complete
Services and files in Lenovo Fingerprint Manager before 8.01.42 have incorrect ACLs, which allows local users to invalidate local checks and gain privileges via standard filesystem operations.
1154 CVE-2015-3249 119 DoS Exec Code Overflow 2017-10-30 2017-11-18
7.5
None Remote Low Not required Partial Partial Partial
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function.
1155 CVE-2015-3229 264 2017-10-16 2017-11-08
4.3
None Remote Medium Not required None Partial None
fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates.
1156 CVE-2015-2988 295 2017-10-10 2017-11-03
4.0
None Remote High Not required Partial Partial None
Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.
1157 CVE-2015-2878 352 CSRF 2017-10-23 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist.
1158 CVE-2015-2856 22 Dir. Trav. 2017-10-10 2017-10-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.
1159 CVE-2015-2780 434 Exec Code 2017-10-16 2017-11-07
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
1160 CVE-2015-2673 264 Exec Code +Priv 2017-10-06 2017-11-01
6.5
None Remote Low ??? Partial Partial Partial
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
1161 CVE-2015-2297 476 DoS 2017-10-06 2017-10-13
5.0
None Remote Low Not required None None Partial
nanohttp in libcsoap allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Authorization header.
1162 CVE-2015-2158 189 DoS Exec Code 2017-10-06 2017-11-01
6.8
None Remote Medium Not required Partial Partial Partial
Off-by-one error in the pngcrush_measure_idat function in pngcrush.c in pngcrush before 1.7.84 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file.
1163 CVE-2015-2156 20 Bypass +Info 2017-10-18 2019-11-25
4.3
None Remote Medium Not required Partial None None
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
1164 CVE-2015-2147 89 Exec Code Sql 2017-10-06 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.
1165 CVE-2015-2146 89 Exec Code Sql 2017-10-06 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php, the (2) group_id parameter to group.php, the (3) status_id parameter to status.php, the (4) resolution_id parameter to resolution.php, the (5) severity_id parameter to severity.php, the (6) priority_id parameter to priority.php, the (7) os_id parameter to os.php, or the (8) site_id parameter to site.php.
1166 CVE-2015-2143 352 CSRF 2017-10-06 2017-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.
1167 CVE-2015-2142 352 CSRF 2017-10-06 2017-10-12
6.0
None Remote Medium ??? Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php.
1168 CVE-2015-1828 200 +Info 2017-10-06 2019-10-17
4.3
None Remote Medium Not required Partial None None
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.
1169 CVE-2015-1429 22 Dir. Trav. 2017-10-06 2020-08-19
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Cybele Software Thinfinity Remote Desktop Workstation 3.0.0.3 32-bit and 64-bit allows remote attackers to download arbitrary files via a .. (dot dot) in an unspecified parameter.
1170 CVE-2015-1239 415 DoS 2017-10-18 2021-11-09
4.3
None Remote Medium Not required None None Partial
Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF.
1171 CVE-2015-1206 119 DoS Overflow 2017-10-06 2017-11-01
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in Google Chrome before M40 allows remote attackers to cause a denial of service (unpaged memory write and process crash) via a crafted MP4 file.
1172 CVE-2015-0226 327 +Info 2017-10-30 2019-07-23
5.0
None Remote Low Not required Partial None None
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
1173 CVE-2015-0224 19 DoS 2017-10-30 2018-10-09
5.0
None Remote Low Not required None None Partial
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.
1174 CVE-2014-9733 20 2017-10-17 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors.
1175 CVE-2014-9697 400 DoS 2017-10-17 2017-11-08
7.8
None Remote Low Not required None None Complete
Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attackers to cause a memory leak or denial of service (memory exhaustion, reboot and MPU switchover) via a crafted website.
1176 CVE-2014-9678 20 2017-10-17 2017-11-08
4.3
None Remote Medium Not required None Partial None
FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter.
1177 CVE-2014-9677 79 XSS 2017-10-17 2017-10-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter.
1178 CVE-2014-9489 284 Exec Code 2017-10-17 2017-11-08
6.5
None Remote Low ??? Partial Partial Partial
The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.
1179 CVE-2014-9487 611 DoS 2017-10-17 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
1180 CVE-2014-9474 119 Overflow 2017-10-10 2017-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str.
1181 CVE-2014-9148 284 Bypass 2017-10-16 2017-10-25
7.5
None Remote Low Not required Partial Partial Partial
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
1182 CVE-2014-9147 200 +Info 2017-10-16 2017-10-25
5.0
None Remote Low Not required Partial None None
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
1183 CVE-2014-9118 77 Exec Code 2017-10-17 2018-10-09
9.0
None Remote Low ??? Complete Complete Complete
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
1184 CVE-2014-9092 119 DoS Overflow 2017-10-10 2018-07-12
4.3
None Remote Medium Not required None None Partial
libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.
1185 CVE-2014-8758 79 XSS 2017-10-06 2017-10-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gallery_album_sorting page to wp-admin/admin.php.
1186 CVE-2014-8621 89 Exec Code Sql 2017-10-16 2017-10-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.
1187 CVE-2014-8492 79 XSS 2017-10-06 2017-10-13
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter.
1188 CVE-2014-8491 200 +Info 2017-10-18 2017-11-08
5.0
None Remote Low Not required Partial None None
The Grand Flagallery plugin before 4.25 for WordPress allows remote attackers to obtain the installation path via a request to (1) flagallery-skins/banner_widget_default/gallery.php or (2) flash-album-gallery/skins/banner_widget_default/gallery.php.
1189 CVE-2014-8357 255 2017-10-17 2018-10-09
4.0
None Remote Low ??? Partial None None
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
1190 CVE-2014-8324 20 DoS 2017-10-17 2018-10-09
5.0
None Remote Low Not required None None Partial
network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.
1191 CVE-2014-8323 20 DoS 2017-10-17 2018-10-09
5.0
None Remote Low Not required None None Partial
buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.
1192 CVE-2014-8087 79 XSS 2017-10-16 2017-10-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php.
1193 CVE-2014-7851 264 +Priv 2017-10-16 2019-11-06
6.0
None Remote Medium ??? Partial Partial Partial
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
1194 CVE-2014-7813 400 DoS 2017-10-18 2017-11-07
4.0
None Remote Low ??? None None Partial
Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols.
1195 CVE-2014-7242 295 +Info 2017-10-18 2017-11-08
4.3
None Remote Medium Not required Partial None None
The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates.
1196 CVE-2014-7240 79 XSS 2017-10-06 2017-10-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solution plugin before 1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value parameter in a master_response action to wp-admin/admin-ajax.php.
1197 CVE-2014-3744 22 Dir. Trav. 2017-10-23 2017-11-15
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
1198 CVE-2014-3741 77 Exec Code 2017-10-23 2017-11-21
7.5
None Remote Low Not required Partial Partial Partial
The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command.
1199 CVE-2014-3709 352 CSRF 2017-10-18 2017-11-07
6.8
None Remote Medium Not required Partial Partial Partial
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
1200 CVE-2014-3706 295 2017-10-18 2017-11-07
4.3
None Remote Medium Not required Partial None None
ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.
Total number of vulnerabilities : 1249   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 (This Page)25
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.