Total
35896 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18076 | 2 Debian, Omniauth | 2 Debian Linux, Omniauth | 2026-06-17 | 5.0 MEDIUM | 7.5 HIGH |
| In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase. | |||||
| CVE-2017-18071 | 1 Qualcomm | 24 Mdm9206, Mdm9206 Firmware, Mdm9607 and 21 more | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, debug policy can potentially be bypassed. | |||||
| CVE-2017-18045 | 1 Directadmin | 1 Directadmin | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| JBMC DirectAdmin before 1.52, when the email_ftp_password_change setting is nonzero, allows remote attackers to obtain access or cause a denial of service (segfault) via an unspecified request. | |||||
| CVE-2017-18026 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. | |||||
| CVE-2017-17974 | 1 Basystems | 4 Bas920, Bas920 Firmware, Isc2000 and 1 more | 2026-06-17 | 5.0 MEDIUM | 9.8 CRITICAL |
| BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for isc/get_sid_js.aspx or isc/get_sid.aspx, as demonstrated by obtaining administrative access by subsequently using the credential information for the Supervisor/Administrator account. | |||||
| CVE-2017-17877 | 1 Valvesoftware | 2 Steam Link, Steam Link Firmware | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in Valve Steam Link build 643. When the SSH daemon is enabled for local development, the device is publicly available via IPv6 TCP port 22 over the internet (with stateless address autoconfiguration) by default, which makes it easier for remote attackers to obtain access by guessing 24 bits of the MAC address and attempting a root login. This can be exploited in conjunction with CVE-2017-17878. | |||||
| CVE-2017-17843 | 2 Debian, Enigmail | 2 Debian Linux, Enigmail | 2026-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Enigmail before 1.9.9 that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list, as demonstrated by a modified Full Name field and a homograph attack, aka TBE-01-002. | |||||
| CVE-2017-17841 | 1 Paloaltonetworks | 1 Pan-os | 2026-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an interface implements SSL decryption with RSA enabled or hosts a GlobalProtect portal or gateway, might allow remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a ROBOT attack. | |||||
| CVE-2017-17794 | 1 Blogotext Project | 1 Blogotext | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| validate_form_preferences in admin/preferences.php in BlogoText through 3.7.6 allows attackers to bypass intended access restrictions via vectors related to an e-mail address field. | |||||
| CVE-2017-17761 | 1 Ichano | 2 Athome Ip Camera, Athome Ip Camera Firmware | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered on Ichano AtHome IP Camera devices. The device runs the "noodles" binary - a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands. This binary requires the "system" XML element for specifying the command. For example, a <system>id</system> command results in a <system_ack>ok</system_ack> response. | |||||
| CVE-2017-17759 | 1 Conarc | 1 Ichannel | 2026-06-17 | 10.0 HIGH | 9.8 CRITICAL |
| Conarc iChannel allows remote attackers to obtain sensitive information, modify the configuration, or cause a denial of service (by deleting the configuration) via a wc.dll?wwMaint~EditConfig request (which reaches an older version of a West Wind Web Connection HTTP service). | |||||
| CVE-2017-17751 | 1 Bose | 1 Soundtouch | 2026-06-17 | 6.8 MEDIUM | 8.8 HIGH |
| Bose SoundTouch devices allows remote attackers to achieve remote control via a crafted web site that uses the WebSocket Protocol. | |||||
| CVE-2017-17738 | 1 Brightsign | 2 4k242, 4k242 Firmware | 2026-06-17 | 6.4 MEDIUM | 7.5 HIGH |
| The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) allows renaming and modifying files via /tools.html. | |||||
| CVE-2017-17733 | 1 Maccms | 1 Maccms | 2026-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| Maccms 8.x allows remote command execution via the wd parameter in an index.php?m=vod-search request. | |||||
| CVE-2017-17689 | 16 9folders, Apple, Bloop and 13 more | 17 Nine, Mail, Airmail and 14 more | 2026-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. | |||||
| CVE-2017-17688 | 11 Apple, Bloop, Emclient and 8 more | 11 Mail, Airmail, Emclient and 8 more | 2026-06-17 | 4.3 MEDIUM | 5.9 MEDIUM |
| The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification | |||||
| CVE-2017-17566 | 1 Xen | 1 Xen | 2026-06-17 | 6.9 MEDIUM | 7.8 HIGH |
| An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page. | |||||
| CVE-2017-17562 | 2 Embedthis, Oracle | 2 Goahead, Integrated Lights Out Manager | 2026-06-17 | 6.8 MEDIUM | 8.1 HIGH |
| Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0. | |||||
| CVE-2017-17561 | 1 Seacms Project | 1 Seacms | 2026-06-17 | 6.5 MEDIUM | 7.2 HIGH |
| SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/admin_ping.php, which interacts with data/admin/ping.php. | |||||
| CVE-2017-17553 | 1 Changyou | 1 Dolphin | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Dolphin Browser for Android 12.0.2 suffers from an insecure parsing implementation of the Intent URI scheme. This vulnerability could allow attackers to abuse this implementation through a malicious Intent URI, in order to invoke private Activities within the Dolphin Browser. | |||||
