Total
1708 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-5227 | 1 Inboundnow | 1 Wordpress Landing Pages | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter. | |||||
| CVE-2017-17526 | 1 Giac Project | 1 Giac | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-16766 | 1 Synology | 1 Diskstation Manager | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
| An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option. | |||||
| CVE-2017-7459 | 1 Ntop | 1 Ntopng | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| ntopng before 3.0 allows HTTP Response Splitting. | |||||
| CVE-2017-17531 | 1 Gnu | 1 Global | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-1000217 | 1 Opencast | 1 Opencast | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0. | |||||
| CVE-2017-17527 | 2 Debian, Pasdoc Project | 2 Debian Linux, Pasdoc | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer has indicated that the code referencing the BROWSER environment variable is never used | |||||
| CVE-2016-5013 | 1 Moodle | 1 Moodle | 2025-04-20 | 5.8 MEDIUM | 5.4 MEDIUM |
| In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. | |||||
| CVE-2017-17513 | 1 Tug | 1 Tex Live | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua. | |||||
| CVE-2017-17522 | 1 Python | 1 Python | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting | |||||
| CVE-2015-4075 | 1 Helpdeskpro | 1 Helpdesk Pro | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task. | |||||
| CVE-2016-3695 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2025-04-20 | 2.1 LOW | 5.5 MEDIUM |
| The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set. | |||||
| CVE-2017-14397 | 2 Anydesk, Microsoft | 2 Anydesk, Windows | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. | |||||
| CVE-2017-5636 | 1 Apache | 1 Nifi | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. | |||||
| CVE-2017-17524 | 1 Swi-prolog | 1 Swi-prolog | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-7239 | 1 Ninka Project | 1 Ninka | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Ninka before 1.3.2 might allow remote attackers to obtain sensitive information, manipulate license compliance scan results, or cause a denial of service (process hang) via a crafted filename. | |||||
| CVE-2017-17512 | 1 Sensible-utils Project | 1 Sensible-utils | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| sensible-browser in sensible-utils before 0.0.11 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument. | |||||
| CVE-2017-3547 | 1 Oracle | 1 Peoplesoft Enterprise Peopletools | 2025-04-20 | 7.1 HIGH | 7.4 HIGH |
| Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: MultiChannel Framework). Supported versions that are affected are 8.54 and 8.55. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.0 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). | |||||
| CVE-2017-5585 | 1 Opentext | 1 Documentum Content Server | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| OpenText Documentum Content Server (formerly EMC Documentum Content Server) 7.3, when PostgreSQL Database is used and return_top_results_row_based config option is false, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML or DDL commands via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2520. | |||||
| CVE-2017-9861 | 1 Sma | 78 Sunny Boy 1.5, Sunny Boy 1.5 Firmware, Sunny Boy 2.5 and 75 more | 2025-04-20 | 9.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in SMA Solar Technology products. The SIP implementation does not properly use authentication with encryption: it is vulnerable to replay attacks, packet injection attacks, and man in the middle attacks. An attacker is able to successfully use SIP to communicate with the device from anywhere within the LAN. An attacker may use this to crash the device, stop it from communicating with the SMA servers, exploit known SIP vulnerabilities, or find sensitive information from the SIP communications. Furthermore, because the SIP communication channel is unencrypted, an attacker capable of understanding the protocol can eavesdrop on communications. For example, passwords can be extracted. NOTE: the vendor's position is that authentication with encryption is not required on an isolated subnetwork. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected | |||||