| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
401 |
CVE-2017-5872 |
20 |
|
DoS |
2017-03-10 |
2017-03-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The TCP/IP networking module in Unisys ClearPath MCP systems with TCP-IP-SW 57.1 before 57.152, 58.1 before 58.142, or 59.1 before 59.172, when running a TLS 1.2 service, allows remote attackers to cause a denial of service (network connectivity disruption) via a client hello with a signature_algorithms extension above those defined in RFC 5246, which triggers a full memory dump. |
|
402 |
CVE-2017-5869 |
22 |
|
Exec Code Dir. Trav. |
2017-03-24 |
2017-08-16 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in the file import feature in Nuxeo Platform 6.0, 7.1, 7.2, and 7.3 allows remote authenticated users to upload and execute arbitrary JSP code via a .. (dot dot) in the X-File-Name header. |
|
403 |
CVE-2017-5867 |
400 |
|
DoS |
2017-03-03 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file. |
|
404 |
CVE-2017-5866 |
200 |
|
+Info |
2017-03-03 |
2017-03-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors. |
|
405 |
CVE-2017-5865 |
200 |
|
+Info |
2017-03-03 |
2017-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts. |
|
406 |
CVE-2017-5859 |
|
|
|
2017-03-10 |
2021-05-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
On Cambium Networks cnPilot R200/201 devices before 4.3, there is a vulnerability involving the certificate of the device and its RSA keys, aka RBN-183. |
|
407 |
CVE-2017-5857 |
401 |
|
DoS |
2017-03-16 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. |
|
408 |
CVE-2017-5856 |
401 |
|
DoS |
2017-03-16 |
2020-11-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. |
|
409 |
CVE-2017-5855 |
476 |
|
DoS |
2017-03-01 |
2017-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. |
|
410 |
CVE-2017-5854 |
476 |
|
DoS |
2017-03-01 |
2017-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. |
|
411 |
CVE-2017-5853 |
190 |
|
Overflow |
2017-03-01 |
2017-03-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. |
|
412 |
CVE-2017-5852 |
835 |
|
DoS |
2017-03-01 |
2019-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file. |
|
413 |
CVE-2017-5851 |
476 |
|
DoS |
2017-03-01 |
2017-03-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The free_options function in options_manager.c in mp3splt 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. NOTE: this typically has no risk; this crash of this command-line program has no further consequences for availability. |
|
414 |
CVE-2017-5850 |
770 |
|
DoS |
2017-03-27 |
2019-10-03 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header. |
|
415 |
CVE-2017-5849 |
125 |
|
DoS |
2017-03-15 |
2017-04-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
tiffttopnm in netpbm 10.47.63 does not properly use the libtiff TIFFRGBAImageGet function, which allows remote attackers to cause a denial of service (out-of-bounds read and write) via a crafted tiff image file, related to transposing width and height values. |
|
416 |
CVE-2017-5836 |
415 |
|
DoS |
2017-03-03 |
2017-03-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The plist_free_data function in plist.c in libplist allows attackers to cause a denial of service (crash) via vectors involving an integer node that is treated as a PLIST_KEY and then triggers an invalid free. |
|
417 |
CVE-2017-5835 |
770 |
|
DoS |
2017-03-03 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
libplist allows attackers to cause a denial of service (large memory allocation and crash) via vectors involving an offset size of zero. |
|
418 |
CVE-2017-5834 |
125 |
|
DoS |
2017-03-03 |
2017-03-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The parse_dict_node function in bplist.c in libplist allows attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted file. |
|
419 |
CVE-2017-5833 |
79 |
|
XSS |
2017-03-03 |
2017-03-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the invocation code generation for interstitial zones in Revive Adserver before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
420 |
CVE-2017-5832 |
79 |
|
XSS |
2017-03-03 |
2017-03-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Revive Adserver before 4.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the user's email address. |
|
421 |
CVE-2017-5831 |
384 |
|
|
2017-03-03 |
2017-03-07 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
|
Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. |
|
422 |
CVE-2017-5830 |
502 |
|
Exec Code |
2017-03-03 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. |
|
423 |
CVE-2017-5681 |
|
|
|
2017-03-07 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The RSA-CRT implementation in the Intel QuickAssist Technology (QAT) Engine for OpenSSL versions prior to 0.5.19 may allow remote attackers to obtain private RSA keys by conducting a Lenstra side-channel attack. |
|
424 |
CVE-2017-5675 |
77 |
|
Exec Code |
2017-03-13 |
2017-03-15 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models. The mail-sending form in the mail.htm page allows an attacker to inject a command into the receiver1 field in the form; it will be executed with root privileges. |
|
425 |
CVE-2017-5674 |
200 |
|
+Info |
2017-03-13 |
2017-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password. |
|
426 |
CVE-2017-5673 |
79 |
|
XSS |
2017-03-22 |
2017-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In the Kunena extension 5.0.2 through 5.0.4 for Joomla!, the forum message subject (aka topic subject) accepts JavaScript, leading to XSS. Six files are affected: crypsis/layouts/message/item/default.php, crypsis/layouts/message/item/top/default.php, crypsis/layouts/message/item/bottom/default.php, crypsisb3/layouts/message/item/default.php, crypsisb3/layouts/message/item/top/default.php, and crypsisb3/layouts/message/item/bottom/default.php. This is fixed in 5.0.5. |
|
427 |
CVE-2017-5671 |
269 |
|
|
2017-03-29 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x before 10.12.013309 have /usr/bin/lua installed setuid to the itadmin account, which allows local users to conduct a BusyBox jailbreak attack and obtain root privileges by overwriting the /etc/shadow file. |
|
428 |
CVE-2017-5668 |
476 |
|
DoS Exec Code |
2017-03-14 |
2017-03-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
bitlbee-libpurple before 3.5.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) and possibly execute arbitrary code via a file transfer request for a contact that is not in the contact list. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-10189. |
|
429 |
CVE-2017-5667 |
125 |
|
DoS Exec Code |
2017-03-16 |
2020-11-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length. |
|
430 |
CVE-2017-5666 |
416 |
|
DoS |
2017-03-01 |
2017-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The free_options function in options_manager.c in mp3splt 2.6.2 allows remote attackers to cause a denial of service (invalid free and crash) via a crafted file. |
|
431 |
CVE-2017-5665 |
476 |
|
DoS |
2017-03-01 |
2017-03-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. |
|
432 |
CVE-2017-5644 |
776 |
|
DoS |
2017-03-24 |
2020-10-20 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack. |
|
433 |
CVE-2017-5643 |
918 |
|
|
2017-03-16 |
2019-05-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. |
|
434 |
CVE-2017-5638 |
20 |
|
Exec Code |
2017-03-11 |
2021-02-24 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. |
|
435 |
CVE-2017-5633 |
352 |
|
CSRF |
2017-03-06 |
2017-03-09 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Link DI-524 Wireless Router with firmware 9.01 allow remote attackers to (1) change the admin password, (2) reboot the device, or (3) possibly have unspecified other impact via crafted requests to CGI programs. |
|
436 |
CVE-2017-5626 |
|
|
Exec Code |
2017-03-12 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data. |
|
437 |
CVE-2017-5624 |
269 |
|
Exec Code |
2017-03-12 |
2019-10-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the 'fastboot oem disable_dm_verity' command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation. |
|
438 |
CVE-2017-5623 |
269 |
|
|
2017-03-19 |
2019-10-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT allow any security-sensitive operation to be run unless the bootloader is unlocked. |
|
439 |
CVE-2017-5622 |
276 |
|
|
2017-03-26 |
2019-10-03 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
With OxygenOS before 4.0.3, when a charger is connected to a powered-off OnePlus 3 or 3T device, the platform starts with adbd enabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further exploit other vulnerabilities and/or exfiltrate sensitive information. |
|
440 |
CVE-2017-5621 |
79 |
|
XSS |
2017-03-13 |
2017-03-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. XSS can be triggered via malicious HTML in a chat message or the content of a ticket article, when using either the REST API or the WebSocket API. |
|
441 |
CVE-2017-5620 |
79 |
|
XSS |
2017-03-13 |
2017-03-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An XSS issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attachments are opened in a new tab instead of getting downloaded. This creates an attack vector of executing code in the domain of the application. |
|
442 |
CVE-2017-5619 |
287 |
|
|
2017-03-13 |
2019-10-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Attackers can login with the hashed password itself (e.g., from the DB) instead of the valid password string. |
|
443 |
CVE-2017-5618 |
863 |
|
+Priv |
2017-03-20 |
2020-08-24 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
GNU screen before 4.5.1 allows local users to modify arbitrary files and consequently gain root privileges by leveraging improper checking of logfile permissions. |
|
444 |
CVE-2017-5617 |
918 |
|
|
2017-03-16 |
2020-07-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The SVG Salamander (aka svgSalamander) library, when used in a web application, allows remote attackers to conduct server-side request forgery (SSRF) attacks via an xlink:href attribute in an SVG file. |
|
445 |
CVE-2017-5616 |
79 |
|
XSS |
2017-03-03 |
2017-03-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allows remote attackers to inject arbitrary web script or HTML via the addendum parameter. |
|
446 |
CVE-2017-5615 |
601 |
|
|
2017-03-03 |
2017-03-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location. |
|
447 |
CVE-2017-5614 |
601 |
|
|
2017-03-03 |
2019-10-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter. |
|
448 |
CVE-2017-5613 |
134 |
|
Exec Code |
2017-03-03 |
2017-03-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file. |
|
449 |
CVE-2017-5584 |
79 |
|
XSS |
2017-03-15 |
2020-02-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Management Web Interface in Palo Alto Networks PAN-OS 5.1, 6.x before 6.1.16, 7.0.x before 7.0.13, and 7.1.x before 7.1.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
450 |
CVE-2017-5583 |
200 |
|
+Info |
2017-03-15 |
2020-02-17 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.16, 7.0.x before 7.0.13, and 7.1.x before 7.1.8 allows remote authenticated users to read arbitrary files via unspecified vectors. |
