CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
101 CVE-2017-8051 78 2017-04-21 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a flaw in the simpleupload.py script in the Web UI. Through the manipulation of the tns_appliance_session_user parameter, a remote attacker can inject arbitrary commands.
102 CVE-2017-8050 2017-04-21 2019-10-03
5.0
None Remote Low Not required None Partial None
Tenable Appliance 4.4.0, and possibly prior, contains a flaw in the Web UI that allows for the unauthorized manipulation of the admin password.
103 CVE-2017-7994 476 DoS 2017-04-21 2019-03-18
4.3
None Remote Medium Not required None None Partial
The function TextExtractor::ExtractText in TextExtractor.cpp:77 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document.
104 CVE-2017-7992 79 XSS 2017-04-21 2017-04-27
4.3
None Remote Medium Not required None Partial None
Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2.8.17 is vulnerable to a reflected XSS in examples/consumer-authentication/cruise.php via the URI, as demonstrated by the cavv parameter.
105 CVE-2017-7991 89 Sql 2017-04-22 2020-04-28
7.5
None Remote Low Not required Partial Partial Partial
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
106 CVE-2017-7990 352 XSS CSRF 2017-04-21 2017-04-26
6.8
None Remote Medium Not required Partial Partial Partial
The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.
107 CVE-2017-7989 434 2017-04-25 2017-05-02
4.0
None Remote Low ??? None Partial None
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type checks allowed low-privilege users to upload swf files even if they were explicitly forbidden.
108 CVE-2017-7988 2017-04-25 2019-10-03
5.0
None Remote Low Not required None Partial None
In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of form contents allows overwriting the author of an article.
109 CVE-2017-7987 79 XSS 2017-04-25 2017-05-03
4.3
None Remote Medium Not required None Partial None
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping of file and folder names leads to XSS vulnerabilities in the template manager component.
110 CVE-2017-7986 79 XSS 2017-04-25 2017-05-02
4.3
None Remote Medium Not required None Partial None
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of specific HTML attributes leads to XSS vulnerabilities in various components.
111 CVE-2017-7985 79 XSS 2017-04-25 2019-03-19
4.3
None Remote Medium Not required None Partial None
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering of multibyte characters leads to XSS vulnerabilities in various components.
112 CVE-2017-7984 79 XSS 2017-04-25 2017-05-02
4.3
None Remote Medium Not required None Partial None
In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering leads to XSS in the template manager component.
113 CVE-2017-7983 200 +Info 2017-04-25 2017-05-03
5.0
None Remote Low Not required Partial None None
In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the JMail API leaked the used PHPMailer version in the mail headers.
114 CVE-2017-7982 190 DoS Overflow 2017-04-20 2020-04-02
4.3
None Remote Medium Not required None None Partial
Integer overflow in the plist_from_bin function in bplist.c in libimobiledevice/libplist before 2017-04-19 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted plist file.
115 CVE-2017-7981 78 Exec Code 2017-04-29 2019-10-03
9.0
None Remote Low ??? Complete Complete Complete
Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 SyntaxHighlighter plugin. This occurs in the Project Wiki component because the proc_open PHP function is used within PhpWiki before 1.5.5 with a syntax value in its first argument, and an authenticated Tuleap user can control this value, even with shell metacharacters, as demonstrated by a '<?plugin SyntaxHighlighter syntax="c;id"' line to execute the id command.
116 CVE-2017-7979 20 DoS 2017-04-19 2017-04-26
7.2
None Local Low Not required Complete Complete Complete
The cookie feature in the packet action API implementation in net/sched/act_api.c in the Linux kernel 4.11.x through 4.11-rc7 mishandles the tb nlattr array, which allows local users to cause a denial of service (uninitialized memory access and refcount underflow, and system hang or crash) or possibly have unspecified other impact via "tc filter add" commands in certain contexts. NOTE: this does not affect stable kernels, such as 4.10.x, from kernel.org.
117 CVE-2017-7978 200 +Info 2017-04-19 2017-04-25
5.0
None Remote Low Not required Partial None None
Samsung Android devices with L(5.0/5.1), M(6.0), and N(7.x) software allow attackers to obtain sensitive information by reading a world-readable log file after an unexpected reboot. The Samsung ID is SVE-2017-8290.
118 CVE-2017-7976 190 DoS Overflow 2017-04-19 2017-11-04
5.8
None Remote Medium Not required Partial None Partial
Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information from process memory.
119 CVE-2017-7975 190 DoS Exec Code Overflow 2017-04-19 2017-11-04
6.8
None Remote Medium Not required Partial Partial Partial
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c during operations on a crafted JBIG2 file, leading to a denial of service (application crash) or possibly execution of arbitrary code.
120 CVE-2017-7964 1188 2017-04-19 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process.
121 CVE-2017-7963 770 DoS 2017-04-19 2019-10-03
5.0
None Remote Low Not required None None Partial
** DISPUTED ** The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior."
122 CVE-2017-7962 369 DoS 2017-04-19 2019-09-16
4.3
None Remote Medium Not required None None Partial
The iwgif_read_image function in imagew-gif.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file.
123 CVE-2017-7961 119 DoS Overflow 2017-04-19 2019-06-18
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an "outside the range of representable values of type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CSS file. NOTE: third-party analysis reports "This is not a security issue in my view. The conversion surely is truncating the double into a long value, but there is no impact as the value is one of the RGB components."
124 CVE-2017-7960 125 DoS 2017-04-19 2019-10-03
4.3
None Remote Medium Not required None None Partial
The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
125 CVE-2017-7957 20 2017-04-29 2019-03-26
5.0
None Remote Low Not required None None Partial
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
126 CVE-2017-7951 352 CSRF 2017-04-21 2017-04-24
6.8
None Remote Medium Not required Partial Partial Partial
WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspecified context.
127 CVE-2017-7948 190 DoS Overflow 2017-04-19 2019-03-19
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the mark_curve function in Artifex Ghostscript 9.21 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via a crafted PostScript document.
128 CVE-2017-7946 416 DoS 2017-04-18 2017-04-21
4.3
None Remote Medium Not required None None Partial
The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2 1.3.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted Mach0 file.
129 CVE-2017-7945 209 2017-04-29 2020-02-17
5.0
None Remote Low Not required Partial None None
The GlobalProtect external interface in Palo Alto Networks PAN-OS before 6.1.17, 7.x before 7.0.15, 7.1.x before 7.1.9, and 8.x before 8.0.2 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account names and conduct brute-force attacks via a series of requests, aka PAN-SA-2017-0014 and PAN-72769.
130 CVE-2017-7944 79 XSS 2017-04-24 2017-04-27
4.3
None Remote Medium Not required None Partial None
XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install DB failure error message in page_dbsettings.php.
131 CVE-2017-7943 772 2017-04-18 2019-10-03
4.3
None Remote Medium Not required None None Partial
The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file.
132 CVE-2017-7942 772 2017-04-18 2019-10-03
4.3
None Remote Medium Not required None None Partial
The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file.
133 CVE-2017-7941 772 2017-04-18 2019-10-03
4.3
None Remote Medium Not required None None Partial
The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file.
134 CVE-2017-7940 400 2017-04-18 2019-09-16
4.3
None Remote Medium Not required None None Partial
The iw_read_gif_file function in imagew-gif.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to consume an amount of available memory via a crafted file.
135 CVE-2017-7939 125 DoS 2017-04-18 2019-10-03
4.3
None Remote Medium Not required None None Partial
The read_next_pam_token function in imagew-pnm.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (stack-based buffer over-read) via a crafted file.
136 CVE-2017-7938 119 DoS Overflow 2017-04-20 2017-08-16
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in DMitry (Deepmagic Information Gathering Tool) version 1.3a (Unix) allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long argument. An example threat model is automated execution of DMitry with hostname strings found in local log files.
137 CVE-2017-7897 79 XSS 2017-04-18 2017-07-11
4.3
None Remote Medium Not required None Partial None
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_page.php) and User Information (view_user_page.php) pages, allows remote attackers to inject arbitrary code (if CSP settings permit it) through crafted PATH_INFO in a URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs.
138 CVE-2017-7896 79 XSS 2017-04-18 2017-04-25
4.3
None Remote Medium Not required None Partial None
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.
139 CVE-2017-7895 119 Overflow 2017-04-28 2019-10-03
10.0
None Remote Low Not required Complete Complete Complete
The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lack certain checks for the end of a buffer, which allows remote attackers to trigger pointer-arithmetic errors or possibly have unspecified other impact via crafted requests, related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c.
140 CVE-2017-7892 20 Overflow 2017-04-17 2017-04-25
5.0
None Remote Low Not required None None Partial
Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a compiler optimization. A remote attacker can trigger a segfault in a 32-bit libcapnp application because Cap'n Proto relies on pointer arithmetic calculations that overflow. An example compiler with optimization that elides a bounds check in such calculations is Apple LLVM version 8.1.0 (clang-802.0.41). The attack vector is a crafted far pointer within a message.
141 CVE-2017-7891 79 XSS 2017-04-17 2017-04-25
4.3
None Remote Medium Not required None Partial None
sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via the rebanid parameter.
142 CVE-2017-7889 732 Bypass 2017-04-17 2021-01-05
7.2
None Local Low Not required Complete Complete Complete
The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.
143 CVE-2017-7885 190 DoS Overflow 2017-04-17 2017-11-04
5.8
None Remote Medium Not required Partial None Partial
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to denial of service (application crash) or disclosure of sensitive information from process memory, because of an integer overflow in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c in libjbig2dec.a during operation on a crafted .jb2 file.
144 CVE-2017-7882 787 2017-04-15 2017-11-15
7.5
None Remote Low Not required Partial Partial Partial
LibreOffice before 2017-03-14 has an out-of-bounds write related to the HWPFile::TagsRead function in hwpfilter/source/hwpfile.cxx.
145 CVE-2017-7881 352 Bypass CSRF 2017-04-15 2017-04-21
6.8
None Remote Medium Not required Partial Partial Partial
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
146 CVE-2017-7879 89 Sql 2017-04-14 2017-04-21
5.0
None Remote Low Not required Partial None None
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.
147 CVE-2017-7878 89 Sql 2017-04-14 2017-04-21
7.5
None Remote Low Not required Partial Partial Partial
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.
148 CVE-2017-7877 352 CSRF 2017-04-14 2017-04-21
6.8
None Remote Medium Not required Partial Partial Partial
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
149 CVE-2017-7875 787 Overflow 2017-04-14 2020-05-24
7.5
None Remote Low Not required Partial Partial Partial
In wallpaper.c in feh before v2.18.3, if a malicious client pretends to be the E17 window manager, it is possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free.
150 CVE-2017-7874 Exec Code 2017-04-15 2017-04-18
0.0
None ??? ??? ??? ??? ??? ???
udevd in udev 232, when the Linux kernel 4.8.0 is used, does not properly verify the source of a Netlink message, which allows local users to execute arbitrary commands by leveraging access to the NETLINK_KOBJECT_UEVENT family, and the presence of the /lib/udev/rules.d/50-udev-default.rules file, to provide a crafted REMOVE_CMD value.
Total number of vulnerabilities : 1574   Page : 1 2 3 (This Page)4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.