CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1301 CVE-2015-5699 264 Exec Code 2017-10-22 2017-11-14
7.2
None Local Low Not required Complete Complete Complete
The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux 2.5.3 and earlier allows local users to execute arbitrary commands via shell metacharacters in a cl-rctl command label.
1302 CVE-2015-5675 264 DoS +Priv 2017-10-10 2018-10-09
7.2
None Local Low Not required Complete Complete Complete
The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allows local users to gain privileges or cause a denial of service (kernel panic).
1303 CVE-2015-5639 295 2017-10-10 2017-11-05
5.8
None Remote Medium Not required Partial Partial None
niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks.
1304 CVE-2015-5533 89 Exec Code Sql CSRF 2017-10-23 2018-10-09
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
1305 CVE-2015-5532 79 XSS 2017-10-23 2021-04-06
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php.
1306 CVE-2015-5379 79 XSS 2017-10-23 2018-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax WebMail interface in AXIGEN Mail Server before 9.0 allows remote attackers to inject arbitrary web script or HTML via an email attachment.
1307 CVE-2015-5376 89 Exec Code Sql 2017-10-18 2017-11-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the login form in GSI WiNPAT Portal 3.2.0.1001 through 3.6.1.0 allows remote attackers to execute arbitrary SQL commands via the username field.
1308 CVE-2015-5246 254 2017-10-06 2017-11-01
6.8
None Remote Medium Not required Partial Partial Partial
The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory.
1309 CVE-2015-5227 74 Exec Code 2017-10-18 2017-11-07
6.8
None Remote Medium Not required Partial Partial Partial
The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter.
1310 CVE-2015-5177 415 DoS 2017-10-22 2017-11-07
5.0
None Remote Low Not required None None Partial
Double free vulnerability in the SLPDKnownDAAdd function in slpd/slpd_knownda.c in OpenSLP 1.2.1 allows remote attackers to cause a denial of service (crash) via a crafted package.
1311 CVE-2015-5173 200 +Info 2017-10-24 2021-08-25
6.8
None Remote Medium Not required Partial Partial Partial
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage."
1312 CVE-2015-5172 640 2017-10-24 2021-08-25
7.5
None Remote Low Not required Partial Partial Partial
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links.
1313 CVE-2015-5171 613 2017-10-24 2021-08-25
7.5
None Remote Low Not required Partial Partial Partial
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions.
1314 CVE-2015-5170 352 CSRF 2017-10-24 2021-08-25
6.8
None Remote Medium Not required Partial Partial Partial
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks.
1315 CVE-2015-5164 502 Exec Code 2017-10-18 2017-11-08
9.0
None Remote Low ??? Complete Complete Complete
The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp.
1316 CVE-2015-4650 264 Exec Code +Priv 2017-10-16 2017-11-01
10.0
None Remote Low Not required Complete Complete Complete
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to gain shell access and execute arbitrary code with root privileges via unspecified vectors.
1317 CVE-2015-4422 119 DoS Overflow +Priv Mem. Corr. 2017-10-19 2017-11-08
7.6
None Remote High Not required Complete Complete Complete
The TEEOS module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users with root permissions to gain privileges or cause a denial of service (memory corruption) via a crafted application.
1318 CVE-2015-4421 119 DoS Overflow +Priv Mem. Corr. 2017-10-19 2017-11-07
7.6
None Remote High Not required Complete Complete Complete
The tzdriver module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users to gain privileges or cause a denial of service (memory corruption) via an unspecified input.
1319 CVE-2015-3400 200 +Info 2017-10-18 2017-11-08
3.5
None Remote Medium ??? Partial None None
sharenfs 0.6.4, when built with commits bcdd594 and 7d08880 from the zfs repository, provides world readable access to the shared zfs file system, which might allow remote authenticated users to obtain sensitive information by reading shared files.
1320 CVE-2015-3321 264 +Priv 2017-10-03 2017-10-17
7.2
None Local Low Not required Complete Complete Complete
Services and files in Lenovo Fingerprint Manager before 8.01.42 have incorrect ACLs, which allows local users to invalidate local checks and gain privileges via standard filesystem operations.
1321 CVE-2015-3249 119 DoS Exec Code Overflow 2017-10-30 2017-11-18
7.5
None Remote Low Not required Partial Partial Partial
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function.
1322 CVE-2015-3229 264 2017-10-16 2017-11-08
4.3
None Remote Medium Not required None Partial None
fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates.
1323 CVE-2015-2988 295 2017-10-10 2017-11-03
4.0
None Remote High Not required Partial Partial None
Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks.
1324 CVE-2015-2878 352 CSRF 2017-10-23 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist.
1325 CVE-2015-2856 22 Dir. Trav. 2017-10-10 2017-10-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie.
1326 CVE-2015-2780 434 Exec Code 2017-10-16 2017-11-07
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
1327 CVE-2015-2673 264 Exec Code +Priv 2017-10-06 2017-11-01
6.5
None Remote Low ??? Partial Partial Partial
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
1328 CVE-2015-2297 476 DoS 2017-10-06 2017-10-13
5.0
None Remote Low Not required None None Partial
nanohttp in libcsoap allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Authorization header.
1329 CVE-2015-2158 189 DoS Exec Code 2017-10-06 2017-11-01
6.8
None Remote Medium Not required Partial Partial Partial
Off-by-one error in the pngcrush_measure_idat function in pngcrush.c in pngcrush before 1.7.84 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file.
1330 CVE-2015-2156 20 Bypass +Info 2017-10-18 2019-11-25
4.3
None Remote Medium Not required Partial None None
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
1331 CVE-2015-2148 79 XSS 2017-10-06 2017-10-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.2 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
1332 CVE-2015-2147 89 Exec Code Sql 2017-10-06 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters.
1333 CVE-2015-2146 89 Exec Code Sql 2017-10-06 2017-10-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php, the (2) group_id parameter to group.php, the (3) status_id parameter to status.php, the (4) resolution_id parameter to resolution.php, the (5) severity_id parameter to severity.php, the (6) priority_id parameter to priority.php, the (7) os_id parameter to os.php, or the (8) site_id parameter to site.php.
1334 CVE-2015-2145 79 XSS 2017-10-06 2017-10-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
1335 CVE-2015-2144 79 XSS 2017-10-06 2017-10-11
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) project name parameter to project.php; the (2) use_js parameter to user.php; the (3) use_js parameter to group.php; the (4) Description parameter to status.php; the (5) Description parameter to severity.php; the (6) Regex parameter to os.php; or the (7) Name parameter to database.php.
1336 CVE-2015-2143 352 CSRF 2017-10-06 2017-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters.
1337 CVE-2015-2142 352 CSRF 2017-10-06 2017-10-12
6.0
None Remote Medium ??? Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php.
1338 CVE-2015-1835 20 2017-10-27 2017-11-16
2.6
None Remote High Not required None Partial None
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.
1339 CVE-2015-1828 200 +Info 2017-10-06 2019-10-17
4.3
None Remote Medium Not required Partial None None
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack.
1340 CVE-2015-1429 22 Dir. Trav. 2017-10-06 2020-08-19
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Cybele Software Thinfinity Remote Desktop Workstation 3.0.0.3 32-bit and 64-bit allows remote attackers to download arbitrary files via a .. (dot dot) in an unspecified parameter.
1341 CVE-2015-1239 415 DoS 2017-10-18 2021-11-09
4.3
None Remote Medium Not required None None Partial
Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF.
1342 CVE-2015-1206 119 DoS Overflow 2017-10-06 2017-11-01
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in Google Chrome before M40 allows remote attackers to cause a denial of service (unpaged memory write and process crash) via a crafted MP4 file.
1343 CVE-2015-0296 264 2017-10-06 2017-11-01
1.2
None Local High Not required None Partial None
The pre-install script in texlive 3.1.20140525_r34255.fc21 as packaged in Fedora 21 and rpm, and texlive 6.20131226_r32488.fc20 and rpm allows local users to delete arbitrary files via a crafted file in the user's home directory.
1344 CVE-2015-0226 327 +Info 2017-10-30 2019-07-23
5.0
None Remote Low Not required Partial None None
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487.
1345 CVE-2015-0224 19 DoS 2017-10-30 2018-10-09
5.0
None Remote Low Not required None None Partial
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203.
1346 CVE-2014-9733 20 2017-10-17 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors.
1347 CVE-2014-9697 400 DoS 2017-10-17 2017-11-08
7.8
None Remote Low Not required None None Complete
Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attackers to cause a memory leak or denial of service (memory exhaustion, reboot and MPU switchover) via a crafted website.
1348 CVE-2014-9678 20 2017-10-17 2017-11-08
4.3
None Remote Medium Not required None Partial None
FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter.
1349 CVE-2014-9677 79 XSS 2017-10-17 2017-10-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter.
1350 CVE-2014-9489 284 Exec Code 2017-10-17 2017-11-08
6.5
None Remote Low ??? Partial Partial Partial
The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.
Total number of vulnerabilities : 1429   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 (This Page)28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.