Vulnerabilities (CVE)

Filtered by NVD-CWE-noinfo
Total 35896 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-18076 2 Debian, Omniauth 2 Debian Linux, Omniauth 2026-06-17 5.0 MEDIUM 7.5 HIGH
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
CVE-2017-18071 1 Qualcomm 24 Mdm9206, Mdm9206 Firmware, Mdm9607 and 21 more 2026-06-17 10.0 HIGH 9.8 CRITICAL
In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, debug policy can potentially be bypassed.
CVE-2017-18045 1 Directadmin 1 Directadmin 2026-06-17 7.5 HIGH 9.8 CRITICAL
JBMC DirectAdmin before 1.52, when the email_ftp_password_change setting is nonzero, allows remote attackers to obtain access or cause a denial of service (segfault) via an unspecified request.
CVE-2017-18026 2 Debian, Redmine 2 Debian Linux, Redmine 2026-06-17 6.8 MEDIUM 8.8 HIGH
Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536.
CVE-2017-17974 1 Basystems 4 Bas920, Bas920 Firmware, Isc2000 and 1 more 2026-06-17 5.0 MEDIUM 9.8 CRITICAL
BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx, as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account.
CVE-2017-17877 1 Valvesoftware 2 Steam Link, Steam Link Firmware 2026-06-17 10.0 HIGH 9.8 CRITICAL
An issue was discovered in Valve Steam Link build 643. When the SSH daemon is enabled for local development, the device is publicly available via IPv6 TCP port 22 over the internet (with stateless address autoconfiguration) by default, which makes it easier for remote attackers to obtain access by guessing 24 bits of the MAC address and attempting a root login. This can be exploited in conjunction with CVE-2017-17878.
CVE-2017-17843 2 Debian, Enigmail 2 Debian Linux, Enigmail 2026-06-17 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002.
CVE-2017-17841 1 Paloaltonetworks 1 Pan-os 2026-06-17 4.3 MEDIUM 5.9 MEDIUM
Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an interface implements SSL decryption with RSA enabled or hosts a GlobalProtect portal or gateway, might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack.
CVE-2017-17794 1 Blogotext Project 1 Blogotext 2026-06-17 7.5 HIGH 9.8 CRITICAL
validate_form_preferences in admin/preferences.php in BlogoText through 3.7.6 allows attackers to bypass intended access restrictions via vectors related to an e-mail address field.
CVE-2017-17761 1 Ichano 2 Athome Ip Camera, Athome Ip Camera Firmware 2026-06-17 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Ichano AtHome IP Camera devices. The device runs the "noodles" binary - a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands. This binary requires the "system" XML element for specifying the command. For example, a <system>id</system> command results in a <system_ack>ok</system_ack> response.
CVE-2017-17759 1 Conarc 1 Ichannel 2026-06-17 10.0 HIGH 9.8 CRITICAL
Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request (which reaches an older version of a West Wind Web Connection HTTP service).
CVE-2017-17751 1 Bose 1 Soundtouch 2026-06-17 6.8 MEDIUM 8.8 HIGH
Bose SoundTouch devices allows remote attackers to achieve remote control via a crafted web site that uses the WebSocket Protocol.
CVE-2017-17738 1 Brightsign 2 4k242, 4k242 Firmware 2026-06-17 6.4 MEDIUM 7.5 HIGH
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) allows renaming and modifying files via /tools.html.
CVE-2017-17733 1 Maccms 1 Maccms 2026-06-17 7.5 HIGH 9.8 CRITICAL
Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request.
CVE-2017-17689 16 9folders, Apple, Bloop and 13 more 17 Nine, Mail, Airmail and 14 more 2026-06-17 4.3 MEDIUM 5.9 MEDIUM
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.
CVE-2017-17688 11 Apple, Bloop, Emclient and 8 more 11 Mail, Airmail, Emclient and 8 more 2026-06-17 4.3 MEDIUM 5.9 MEDIUM
The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification
CVE-2017-17566 1 Xen 1 Xen 2026-06-17 6.9 MEDIUM 7.8 HIGH
An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page.
CVE-2017-17562 2 Embedthis, Oracle 2 Goahead, Integrated Lights Out Manager 2026-06-17 6.8 MEDIUM 8.1 HIGH
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
CVE-2017-17561 1 Seacms Project 1 Seacms 2026-06-17 6.5 MEDIUM 7.2 HIGH
SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/admin_ping.php, which interacts with data/admin/ping.php.
CVE-2017-17553 1 Changyou 1 Dolphin 2026-06-17 5.0 MEDIUM 5.3 MEDIUM
The Dolphin Browser for Android 12.0.2 suffers from an insecure parsing implementation of the Intent URI scheme. This vulnerability could allow attackers to abuse this implementation through a malicious Intent URI, in order to invoke private Activities within the Dolphin Browser.