Total
1786 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6015 | 1 Rockwellautomation | 1 Factorytalk Activation | 2019-10-09 | 7.2 HIGH | 7.8 HIGH |
| Without quotation marks, any whitespace in the file path for Rockwell Automation FactoryTalk Activation version 4.00.02 remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system. CVSS v3 base score: 8.8, CVSS vector string: (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). Rockwell Automation has released a new version of FactoryTalk Activation, Version 4.01, which addresses the identified vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later. | |||||
| CVE-2017-6031 | 1 Certec Edv Gmbh | 1 Atvise Scada | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A Header Injection issue was discovered in Certec EDV GmbH atvise scada prior to Version 3.0. An "improper neutralization of HTTP headers for scripting syntax" issue has been identified, which may allow remote code execution. | |||||
| CVE-2017-1202 | 1 Ibm | 1 Bigfix Compliance | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 123677. | |||||
| CVE-2017-1115 | 1 Ibm | 1 Campaign | 2019-10-09 | 3.5 LOW | 5.4 MEDIUM |
| IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 121153. | |||||
| CVE-2017-16719 | 1 Moxa | 6 Nport 5110, Nport 5110 Firmware, Nport 5130 and 3 more | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| An Injection issue was discovered in Moxa NPort 5110 Version 2.2, NPort 5110 Version 2.4, NPort 5110 Version 2.6, NPort 5110 Version 2.7, NPort 5130 Version 3.7 and prior, and NPort 5150 Version 3.7 and prior. An attacker may be able to inject packets that could potentially disrupt the availability of the device. | |||||
| CVE-2017-16043 | 1 Shout Project | 1 Shout | 2019-10-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. | |||||
| CVE-2017-14094 | 1 Trendmicro | 1 Smart Protection Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system. | |||||
| CVE-2015-1592 | 2 Debian, Sixapart | 2 Debian Linux, Movable Type | 2019-10-09 | 7.5 HIGH | N/A |
| Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors. | |||||
| CVE-2017-7459 | 1 Ntop | 1 Ntopng | 2019-10-03 | 5.0 MEDIUM | 7.5 HIGH |
| ntopng before 3.0 allows HTTP Response Splitting. | |||||
| CVE-2017-6748 | 1 Cisco | 2 Web Security Appliance, Web Security Virtual Appliance | 2019-10-03 | 7.2 HIGH | 6.7 MEDIUM |
| A vulnerability in the CLI parser of the Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid operator-level or administrator-level credentials. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCvd88855. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-234. | |||||
| CVE-2017-8458 | 1 Brave | 1 Brave | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Brave 0.12.4 has a URI Obfuscation issue in which a string such as https://safe.example.com@unsafe.example.com/ is displayed without a clear UI indication that it is not a resource on the safe.example.com web site. | |||||
| CVE-2017-7239 | 1 Ninka Project | 1 Ninka | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| Ninka before 1.3.2 might allow remote attackers to obtain sensitive information, manipulate license compliance scan results, or cause a denial of service (process hang) via a crafted filename. | |||||
| CVE-2017-6971 | 2 Alienvault, Nfsen | 3 Ossim, Unified Security Management, Nfsen | 2019-10-03 | 9.0 HIGH | 8.8 HIGH |
| AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow remote authenticated users to execute arbitrary commands in a privileged context, or launch a reverse shell, via vectors involving the PHP session ID and the NfSen PHP code, aka AlienVault ID ENG-104862. | |||||
| CVE-2018-20167 | 1 Enlightenment | 1 Terminology | 2019-10-03 | 6.8 MEDIUM | 7.8 HIGH |
| Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. A popmedia control sequence can allow the malicious execution of executable file formats registered in the X desktop share MIME types (/usr/share/applications). The control sequence defers unknown file types to the handle_unknown_media() function, which executes xdg-open against the filename specified in the sequence. The use of xdg-open for all unknown file types allows executable file formats with a registered shared MIME type to be executed. An attacker can achieve remote code execution by introducing an executable file and a plain text file containing the control sequence through a fake software project (e.g., in Git or a tarball). When the control sequence is rendered (such as with cat), the executable file will be run. | |||||
| CVE-2017-3547 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2019-10-03 | 7.1 HIGH | 7.4 HIGH |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). | |||||
| CVE-2018-4995 | 3 Adobe, Apple, Microsoft | 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an XFA '\n' POST injection vulnerability. Successful exploitation could lead to a security bypass. | |||||
| CVE-2019-16532 | 1 Yzmcms | 1 Yzmcms | 2019-09-28 | 5.8 MEDIUM | 6.1 MEDIUM |
| An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A malicious user can poison a web cache or trigger redirections. | |||||
| CVE-2017-18634 | 1 Tagdiv | 1 Newspaper | 2019-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php. | |||||
| CVE-2019-5977 | 1 Cybozu | 1 Garoon | 2019-09-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| Mail header injection vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 may allow a remote authenticated attackers to alter mail header via the application 'E-Mail'. | |||||
| CVE-2017-18604 | 1 Sitebuilder Dynamic Components Project | 1 Sitebuilder Dynamic Components | 2019-09-11 | 5.0 MEDIUM | 7.5 HIGH |
| The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request. | |||||