Total
1756 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18049 | 1 Silverstripe | 1 Silverstripe | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page. | |||||
| CVE-2017-16043 | 1 Shout Project | 1 Shout | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. | |||||
| CVE-2017-15714 | 1 Apache | 1 Ofbiz | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would execute. | |||||
| CVE-2017-14523 | 1 Wondercms | 1 Wondercms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack | |||||
| CVE-2017-14094 | 1 Trendmicro | 1 Smart Protection Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system. | |||||
| CVE-2017-10963 | 1 Samsung | 2 Knox Enterprise Mobility Management, Knox Identity Access Management | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobility Management) 16.11 on Samsung mobile devices, a man-in-the-middle attacker can install any application into the Knox container (without the user's knowledge) by inspecting network traffic from a Samsung server and injecting content at a certain point in the update sequence. This installed application can further leak information stored inside the Knox container to the outside world. | |||||
| CVE-2017-1000493 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover | |||||
| CVE-2017-1000454 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1 | |||||
| CVE-2017-1000453 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution. | |||||
| CVE-2017-0372 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. | |||||
| CVE-2016-8901 | 1 B2evolution | 1 B2evolution | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php. | |||||
| CVE-2016-8900 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags. | |||||
| CVE-2016-8899 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats. | |||||
| CVE-2016-15007 | 1 Centralized Salesforce Development Framework Project | 1 Centralized Salesforce Development Framework | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability was found in Centralized-Salesforce-Dev-Framework. It has been declared as problematic. Affected by this vulnerability is the function SObjectService of the file src/classes/SObjectService.cls of the component SOQL Handler. The manipulation of the argument orderDirection leads to injection. The patch is named db03ac5b8a9d830095991b529c067a030a0ccf7b. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217195. | |||||
| CVE-2016-15004 | 1 Revmakx | 1 Infinitewp Client | 2024-11-21 | N/A | 7.3 HIGH |
| A vulnerability was found in InfiniteWP Client Plugin 1.5.1.3/1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to injection. The attack can be launched remotely. Upgrading to version 1.6.1.1 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2016-11068 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection. | |||||
| CVE-2016-10847 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| cPanel before 11.54.0.4 allows arbitrary file-read and file-write operations via scripts/fixmailboxpath (SEC-80). | |||||
| CVE-2016-10845 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 6.5 MEDIUM | 8.1 HIGH |
| cPanel before 11.54.0.4 allows arbitrary file-overwrite operations in scripts/check_system_storable (SEC-78). | |||||
| CVE-2016-10801 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| cPanel before 58.0.4 has improper session handling for shared users (SEC-139). | |||||
| CVE-2016-10761 | 1 Logitech | 10 K360, K360 Firmware, K400r and 7 more | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack. | |||||