CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1351 CVE-2014-9487 611 DoS 2017-10-17 2017-11-08
7.5
None Remote Low Not required Partial Partial Partial
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
1352 CVE-2014-9474 119 Overflow 2017-10-10 2017-11-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str.
1353 CVE-2014-9148 284 Bypass 2017-10-16 2017-10-25
7.5
None Remote Low Not required Partial Partial Partial
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
1354 CVE-2014-9147 200 +Info 2017-10-16 2017-10-25
5.0
None Remote Low Not required Partial None None
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
1355 CVE-2014-9118 77 Exec Code 2017-10-17 2018-10-09
9.0
None Remote Low ??? Complete Complete Complete
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
1356 CVE-2014-9092 119 DoS Overflow 2017-10-10 2018-07-12
4.3
None Remote Medium Not required None None Partial
libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.
1357 CVE-2014-8957 79 XSS 2017-10-06 2017-10-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter.
1358 CVE-2014-8758 79 XSS 2017-10-06 2017-10-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gallery_album_sorting page to wp-admin/admin.php.
1359 CVE-2014-8621 89 Exec Code Sql 2017-10-16 2017-10-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.
1360 CVE-2014-8492 79 XSS 2017-10-06 2017-10-13
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter.
1361 CVE-2014-8491 200 +Info 2017-10-18 2017-11-08
5.0
None Remote Low Not required Partial None None
The Grand Flagallery plugin before 4.25 for WordPress allows remote attackers to obtain the installation path via a request to (1) flagallery-skins/banner_widget_default/gallery.php or (2) flash-album-gallery/skins/banner_widget_default/gallery.php.
1362 CVE-2014-8357 255 2017-10-17 2018-10-09
4.0
None Remote Low ??? Partial None None
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf.
1363 CVE-2014-8324 20 DoS 2017-10-17 2018-10-09
5.0
None Remote Low Not required None None Partial
network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.
1364 CVE-2014-8323 20 DoS 2017-10-17 2018-10-09
5.0
None Remote Low Not required None None Partial
buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.
1365 CVE-2014-8087 79 XSS 2017-10-16 2017-10-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php.
1366 CVE-2014-7851 264 +Priv 2017-10-16 2019-11-06
6.0
None Remote Medium ??? Partial Partial Partial
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
1367 CVE-2014-7813 400 DoS 2017-10-18 2017-11-07
4.0
None Remote Low ??? None None Partial
Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols.
1368 CVE-2014-7242 295 +Info 2017-10-18 2017-11-08
4.3
None Remote Medium Not required Partial None None
The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates.
1369 CVE-2014-7240 79 XSS 2017-10-06 2017-10-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solution plugin before 1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value parameter in a master_response action to wp-admin/admin-ajax.php.
1370 CVE-2014-3744 22 Dir. Trav. 2017-10-23 2017-11-15
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
1371 CVE-2014-3741 77 Exec Code 2017-10-23 2017-11-21
7.5
None Remote Low Not required Partial Partial Partial
The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command.
1372 CVE-2014-3709 352 CSRF 2017-10-18 2017-11-07
6.8
None Remote Medium Not required Partial Partial Partial
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
1373 CVE-2014-3706 295 2017-10-18 2017-11-07
4.3
None Remote Medium Not required Partial None None
ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates.
1374 CVE-2014-3702 22 DoS Dir. Trav. 2017-10-16 2017-11-07
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot dot) the session parameter.
1375 CVE-2014-3624 284 Bypass 2017-10-30 2017-11-17
7.5
None Remote Low Not required Partial Partial Partial
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT.
1376 CVE-2014-3600 611 2017-10-27 2019-03-27
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
1377 CVE-2014-3579 611 2017-10-27 2019-03-27
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.
1378 CVE-2014-3531 79 XSS 2017-10-18 2017-10-27
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description.
1379 CVE-2014-3526 200 +Info 2017-10-30 2019-12-11
5.0
None Remote Low Not required Partial None None
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
1380 CVE-2014-3164 476 DoS 2017-10-18 2017-11-07
5.0
None Remote Low Not required None None Partial
cmds/servicemanager/service_manager.c in Android before commit 7d42a3c31ba78a418f9bdde0e0ab951469f321b5 allows attackers to cause a denial of service (NULL pointer dereference, or out-of-bounds write) via vectors related to binder passed lengths.
1381 CVE-2014-2903 310 2017-10-06 2017-10-17
4.3
None Remote Medium Not required Partial None None
CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake.
1382 CVE-2014-2664 434 Exec Code 2017-10-17 2017-11-08
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
1383 CVE-2014-2277 284 +Info 2017-10-17 2020-02-04
3.6
None Local Low Not required Partial Partial None
The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function.
1384 CVE-2014-2023 89 1 Exec Code Sql 2017-10-26 2017-11-15
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/.
1385 CVE-2014-1203 77 Exec Code 2017-10-24 2019-12-11
7.5
None Remote Low Not required Partial Partial Partial
The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php.
1386 CVE-2014-0691 331 Bypass 2017-10-24 2017-11-14
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643.
1387 CVE-2014-0208 79 XSS 2017-10-16 2017-11-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.
1388 CVE-2014-0115 22 Dir. Trav. 2017-10-30 2017-11-15
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log.
1389 CVE-2014-0073 264 +Priv 2017-10-30 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.
1390 CVE-2014-0072 20 2017-10-30 2018-10-09
5.0
None Remote Low Not required None Partial None
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option.
1391 CVE-2014-0047 2017-10-06 2017-10-13
4.6
None Local Low Not required Partial Partial Partial
Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage.
1392 CVE-2014-0043 200 +Info 2017-10-03 2017-10-11
5.0
None Remote Low Not required Partial None None
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
1393 CVE-2014-0030 611 2017-10-10 2019-05-06
7.5
None Remote Low Not required Partial Partial Partial
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
1394 CVE-2014-0029 79 XSS 2017-10-16 2017-11-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
1395 CVE-2013-7377 77 Exec Code 2017-10-23 2017-11-21
6.8
None Remote Medium Not required Partial Partial Partial
The codem-transcode module before 0.5.0 for Node.js, when ffprobe is enabled, allows remote attackers to execute arbitrary commands via a POST request to /probe.
1396 CVE-2013-6924 77 Exec Code 2017-10-11 2017-11-03
10.0
None Remote Low Not required Complete Complete Complete
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php.
1397 CVE-2013-6355 +Info 2017-10-17 2017-10-17
0.0
None ??? ??? ??? ??? ??? ???
The Microsoft Graphics Component in Windows Server 2003 Service Pack 2, x64 Edition Service Pack 2, SP2 for Itanium-based Systems, Windows Vista Service pack 2 and x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2, x64-based Systems Service Pack 2, and Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems Service Pack 1, and x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, and Itanium-based Systems Service Pack 1, Windows 8 and Windows 8.1 for 32-bit Systems and x64-based Systems, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1, and the Server Core installation option for Windows Server 2008 for 32-bit Systems Service pack 2, Windows Server 2008 for x64-based Systems Service Pack 2, Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2012, and Windows Server 2012 R2 does not properly decode JPEG images in memory, which allows remote attackers to obtain sensitive information via a crafted JPEG.
1398 CVE-2013-6049 20 2017-10-20 2017-11-08
4.6
None Local Low Not required Partial Partial Partial
apt-listbugs before 0.1.10 creates temporary files insecurely, which allows attackers to have unspecified impact via unknown vectors.
1399 CVE-2013-4366 20 2017-10-30 2020-07-28
7.5
None Remote Low Not required Partial Partial Partial
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.
1400 CVE-2013-4246 284 DoS +Info 2017-10-30 2017-11-18
6.5
None Remote Low ??? Partial Partial Partial
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties.
Total number of vulnerabilities : 1429   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 (This Page)29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.