CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2017 (CVSS score >= 3)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1251 CVE-2015-2143 352 CSRF 2017-10-06 2017-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.
1252 CVE-2015-2142 352 CSRF 2017-10-06 2017-10-12
6.0
None Remote Medium ??? Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php.
1253 CVE-2015-1828 200 +Info 2017-10-06 2019-10-17
4.3
None Remote Medium Not required Partial None None
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.
1254 CVE-2015-1429 22 Dir. Trav. 2017-10-06 2020-08-19
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Cybele Software Thinfinity Remote Desktop Workstation 3.0.0.3 32-bit and 64-bit allows remote attackers to download arbitrary files via a .. (dot dot) in an unspecified parameter.
1255 CVE-2015-1239 415 DoS 2017-10-18 2021-11-09
4.3
None Remote Medium Not required None None Partial
Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF.
1256 CVE-2015-1206 119 DoS Overflow 2017-10-06 2017-11-01
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in Google Chrome before M40 allows remote attackers to cause a denial of service (unpaged memory write and process crash) via a crafted MP4 file.
1257 CVE-2015-0226 327 +Info 2017-10-30 2019-07-23
5.0
None Remote Low Not required Partial None None
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
1258 CVE-2015-0224 19 DoS 2017-10-30 2018-10-09
5.0
None Remote Low Not required None None Partial
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.
1259 CVE-2014-9733 20 2017-10-17 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors.
1260 CVE-2014-9697 400 DoS 2017-10-17 2017-11-08
7.8
None Remote Low Not required None None Complete
Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attackers to cause a memory leak or denial of service (memory exhaustion, reboot and MPU switchover) via a crafted website.
1261 CVE-2014-9678 20 2017-10-17 2017-11-08
4.3
None Remote Medium Not required None Partial None
FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter.
1262 CVE-2014-9677 79 XSS 2017-10-17 2017-10-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter.
1263 CVE-2014-9489 284 Exec Code 2017-10-17 2017-11-08
6.5
None Remote Low ??? Partial Partial Partial
The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.
1264 CVE-2014-9487 611 DoS 2017-10-17 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
1265 CVE-2014-9474 119 Overflow 2017-10-10 2017-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str.
1266 CVE-2014-9148 284 Bypass 2017-10-16 2017-10-25
7.5
None Remote Low Not required Partial Partial Partial
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
1267 CVE-2014-9147 200 +Info 2017-10-16 2017-10-25
5.0
None Remote Low Not required Partial None None
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
1268 CVE-2014-9118 77 Exec Code 2017-10-17 2018-10-09
9.0
None Remote Low ??? Complete Complete Complete
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
1269 CVE-2014-9092 119 DoS Overflow 2017-10-10 2018-07-12
4.3
None Remote Medium Not required None None Partial
libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.
1270 CVE-2014-8957 79 XSS 2017-10-06 2017-10-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter.
1271 CVE-2014-8758 79 XSS 2017-10-06 2017-10-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gallery_album_sorting page to wp-admin/admin.php.
1272 CVE-2014-8621 89 Exec Code Sql 2017-10-16 2017-10-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.
1273 CVE-2014-8492 79 XSS 2017-10-06 2017-10-13
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter.
1274 CVE-2014-8491 200 +Info 2017-10-18 2017-11-08
5.0
None Remote Low Not required Partial None None
The Grand Flagallery plugin before 4.25 for WordPress allows remote attackers to obtain the installation path via a request to (1) flagallery-skins/banner_widget_default/gallery.php or (2) flash-album-gallery/skins/banner_widget_default/gallery.php.
1275 CVE-2014-8357 255 2017-10-17 2018-10-09
4.0
None Remote Low ??? Partial None None
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
1276 CVE-2014-8324 20 DoS 2017-10-17 2018-10-09
5.0
None Remote Low Not required None None Partial
network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.
1277 CVE-2014-8323 20 DoS 2017-10-17 2018-10-09
5.0
None Remote Low Not required None None Partial
buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.
1278 CVE-2014-8087 79 XSS 2017-10-16 2017-10-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php.
1279 CVE-2014-7851 264 +Priv 2017-10-16 2019-11-06
6.0
None Remote Medium ??? Partial Partial Partial
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
1280 CVE-2014-7813 400 DoS 2017-10-18 2017-11-07
4.0
None Remote Low ??? None None Partial
Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols.
1281 CVE-2014-7242 295 +Info 2017-10-18 2017-11-08
4.3
None Remote Medium Not required Partial None None
The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates.
1282 CVE-2014-7240 79 XSS 2017-10-06 2017-10-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solution plugin before 1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value parameter in a master_response action to wp-admin/admin-ajax.php.
1283 CVE-2014-3744 22 Dir. Trav. 2017-10-23 2017-11-15
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
1284 CVE-2014-3741 77 Exec Code 2017-10-23 2017-11-21
7.5
None Remote Low Not required Partial Partial Partial
The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command.
1285 CVE-2014-3709 352 CSRF 2017-10-18 2017-11-07
6.8
None Remote Medium Not required Partial Partial Partial
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
1286 CVE-2014-3706 295 2017-10-18 2017-11-07
4.3
None Remote Medium Not required Partial None None
ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.
1287 CVE-2014-3702 22 DoS Dir. Trav. 2017-10-16 2017-11-07
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot dot) the session parameter.
1288 CVE-2014-3624 284 Bypass 2017-10-30 2017-11-17
7.5
None Remote Low Not required Partial Partial Partial
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
1289 CVE-2014-3600 611 2017-10-27 2019-03-27
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
1290 CVE-2014-3579 611 2017-10-27 2019-03-27
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
1291 CVE-2014-3531 79 XSS 2017-10-18 2017-10-27
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description.
1292 CVE-2014-3526 200 +Info 2017-10-30 2019-12-11
5.0
None Remote Low Not required Partial None None
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
1293 CVE-2014-3164 476 DoS 2017-10-18 2017-11-07
5.0
None Remote Low Not required None None Partial
cmds/servicemanager/service_manager.c in Android before commit 7d42a3c31ba78a418f9bdde0e0ab951469f321b5 allows attackers to cause a denial of service (NULL pointer dereference, or out-of-bounds write) via vectors related to binder passed lengths.
1294 CVE-2014-2903 310 2017-10-06 2017-10-17
4.3
None Remote Medium Not required Partial None None
CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake.
1295 CVE-2014-2664 434 Exec Code 2017-10-17 2017-11-08
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
1296 CVE-2014-2277 284 +Info 2017-10-17 2020-02-04
3.6
None Local Low Not required Partial Partial None
The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.
1297 CVE-2014-2023 89 1 Exec Code Sql 2017-10-26 2017-11-15
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
1298 CVE-2014-1203 77 Exec Code 2017-10-24 2019-12-11
7.5
None Remote Low Not required Partial Partial Partial
The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php.
1299 CVE-2014-0691 331 Bypass 2017-10-24 2017-11-14
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643.
1300 CVE-2014-0208 79 XSS 2017-10-16 2017-11-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.
Total number of vulnerabilities : 1339   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 (This Page)27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.