CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2017 (CVSS score >= 3)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
351 CVE-2017-15239 119 DoS Overflow 2017-10-11 2017-10-24
6.8
None Remote Medium Not required Partial Partial Partial
IrfanView 4.44 - 32bit with PDF plugin version 4.43 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .pdf file, related to "Data from Faulting Address may be used as a return value starting at PDF!xmlParserInputRead+0x0000000000040db4."
352 CVE-2017-15238 416 2017-10-11 2019-06-30
6.8
None Remote Medium Not required Partial Partial Partial
ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26 has a use-after-free issue when the height or width is zero, related to ReadJNGImage.
353 CVE-2017-15236 200 +Info 2017-10-11 2017-11-05
5.0
None Remote Low Not required Partial None None
Tiandy IP cameras 5.56.17.120 do not properly restrict a certain proprietary protocol, which allows remote attackers to read settings via a crafted request to TCP port 3001, as demonstrated by config* files and extendword.txt.
354 CVE-2017-15235 425 Bypass 2017-10-11 2020-08-29
5.0
None Remote Low Not required Partial None None
The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.
355 CVE-2017-15232 476 2017-10-11 2018-07-11
4.3
None Remote Medium Not required None None Partial
libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file.
356 CVE-2017-15228 125 2017-10-22 2018-02-04
5.0
None Remote Low Not required None None Partial
Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.
357 CVE-2017-15227 416 2017-10-22 2018-02-04
5.0
None Remote Low Not required None None Partial
Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.
358 CVE-2017-15226 78 2017-10-10 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call.
359 CVE-2017-15225 772 DoS 2017-10-10 2019-10-03
4.3
None Remote Medium Not required None None Partial
_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file.
360 CVE-2017-15223 835 2017-10-24 2019-10-03
5.0
None Remote Low Not required None None Partial
Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2 and earlier allows remote attackers to waste CPU resources (memory consumption) via unspecified vectors, possibly triggering an infinite loop.
361 CVE-2017-15222 120 Exec Code Overflow 2017-10-24 2019-12-10
7.5
None Remote Low Not required Partial Partial Partial
Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows remote attackers to execute arbitrary code.
362 CVE-2017-15221 119 Overflow 2017-10-16 2020-03-10
6.8
None Remote Medium Not required Partial Partial Partial
ASX to MP3 converter 3.1.3.7.2010.11.05 has a buffer overflow via a crafted M3U file, a related issue to CVE-2009-1324.
363 CVE-2017-15220 119 Exec Code Overflow 2017-10-11 2017-10-26
7.5
None Remote Low Not required Partial Partial Partial
Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overflow via an empty POST request to a long URI beginning with a /../ substring. This allows remote attackers to execute arbitrary code.
364 CVE-2017-15219 79 XSS 2017-10-10 2017-10-25
3.5
None Remote Medium ??? None Partial None
The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Scripting (XSS) affecting a vanity-urls Title field, a containers Description field, and a templates Description field.
365 CVE-2017-15218 772 2017-10-10 2019-10-03
4.3
None Remote Medium Not required None None Partial
ImageMagick 7.0.7-2 has a memory leak in ReadOneJNGImage in coders/png.c.
366 CVE-2017-15217 772 2017-10-10 2019-10-03
4.3
None Remote Medium Not required None None Partial
ImageMagick 7.0.7-2 has a memory leak in ReadSGIImage in coders/sgi.c.
367 CVE-2017-15216 79 XSS 2017-10-10 2017-10-27
4.3
None Remote Medium Not required None Partial None
MISP before 2.4.81 has a potential reflected XSS in a quickDelete action that is used to delete a sighting, related to app/View/Sightings/ajax/quickDeleteConfirmationForm.ctp and app/webroot/js/misp.js.
368 CVE-2017-15215 79 XSS 2017-10-11 2017-10-27
4.3
None Remote Medium Not required None Partial None
Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticated attacker to inject JavaScript via the searchtags parameter to index.php. If the victim is an administrator, an attacker can (for example) take over the admin session or change global settings or add/delete links. It is also possible to execute JavaScript against unauthenticated users.
369 CVE-2017-15214 79 +Priv XSS 2017-10-11 2017-10-27
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges and also to execute JavaScript against other users (including unauthenticated users), via the name, title, or id parameter to plugins/dokuwiki/lib/plugins/changelinks/syntax.php.
370 CVE-2017-15213 79 +Priv XSS 2017-10-11 2017-10-27
3.5
None Remote Medium ??? None Partial None
Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenticated user to inject JavaScript to gain administrator privileges, via the real_name or email_address field to themes/CleanFS/templates/common.editallusers.tpl.
371 CVE-2017-15212 200 +Info 2017-10-11 2017-10-19
4.0
None Remote Low ??? Partial None None
In Kanboard before 1.0.47, by altering form data, an authenticated user can at least see the names of tags of a private project of another user.
372 CVE-2017-15211 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an external link to a private project of another user.
373 CVE-2017-15210 200 +Info 2017-10-11 2017-10-19
4.0
None Remote Low ??? Partial None None
In Kanboard before 1.0.47, by altering form data, an authenticated user can see thumbnails of pictures from a private project of another user.
374 CVE-2017-15209 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove attachments from a private project of another user.
375 CVE-2017-15208 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove automatic actions from a private project of another user.
376 CVE-2017-15207 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tasks of a private project of another user.
377 CVE-2017-15206 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can add an internal link to a private project of another user.
378 CVE-2017-15205 200 +Info 2017-10-11 2017-10-19
4.0
None Remote Low ??? Partial None None
In Kanboard before 1.0.47, by altering form data, an authenticated user can download attachments from a private project of another user.
379 CVE-2017-15204 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can add automatic actions to a private project of another user.
380 CVE-2017-15203 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove categories from a private project of another user.
381 CVE-2017-15202 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit columns of a private project of another user.
382 CVE-2017-15201 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit tags of a private project of another user.
383 CVE-2017-15200 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new task to a private project of another user.
384 CVE-2017-15199 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit metadata of a private project of another user, as demonstrated by Name, Email, Identifier, and Description.
385 CVE-2017-15198 200 +Info 2017-10-11 2017-10-19
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit a category of a private project of another user.
386 CVE-2017-15197 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can add a new category to a private project of another user.
387 CVE-2017-15196 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can remove columns from a private project of another user.
388 CVE-2017-15195 639 2017-10-11 2019-10-03
4.0
None Remote Low ??? None Partial None
In Kanboard before 1.0.47, by altering form data, an authenticated user can edit swimlanes of a private project of another user.
389 CVE-2017-15194 79 XSS 2017-10-11 2017-10-20
4.3
None Remote Medium Not required None Partial None
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
390 CVE-2017-15193 400 2017-10-10 2017-10-17
7.8
None Remote Low Not required None None Complete
In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach.
391 CVE-2017-15192 2017-10-10 2019-10-03
5.0
None Remote Low Not required None None Partial
In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level.
392 CVE-2017-15191 134 2017-10-10 2019-03-01
5.0
None Remote Low Not required None None Partial
In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length.
393 CVE-2017-15190 2017-10-10 2019-10-03
5.0
None Remote Low Not required None None Partial
In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable.
394 CVE-2017-15189 772 2017-10-10 2019-10-03
5.0
None Remote Low Not required None None Partial
In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements.
395 CVE-2017-15188 79 XSS 2017-10-11 2021-02-23
3.5
None Remote Medium ??? None Partial None
A persistent (stored) XSS vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to inject arbitrary web script or HTML via the hosts array parameter to module/admin_device/index.php.
396 CVE-2017-15186 415 DoS 2017-10-24 2017-11-29
4.3
None Remote Medium Not required None None Partial
Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file.
397 CVE-2017-15185 20 DoS 2017-10-09 2017-11-05
4.3
None Remote Medium Not required None None Partial
plugins/ogg.c in Libmp3splt 0.9.2 calls the libvorbis vorbis_block_clear function with uninitialized data upon detection of invalid input, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
398 CVE-2017-15084 352 CSRF 2017-10-06 2017-10-13
4.3
None Remote Medium Not required None None Partial
The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22.
399 CVE-2017-15081 89 Sql 2017-10-24 2017-11-14
7.5
None Remote Low Not required Partial Partial Partial
In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
400 CVE-2017-15079 22 Dir. Trav. 2017-10-06 2017-10-13
5.0
None Remote Low Not required Partial None None
The Smush Image Compression and Optimization plugin before 2.7.6 for WordPress allows directory traversal.
Total number of vulnerabilities : 1339   Page : 1 2 3 4 5 6 7 8 (This Page)9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.