Total
22706 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7432 | 2 Netiq, Novell | 2 Imanager, Imanager | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3.x before 3.0.3.1 have a webshell upload vulnerability. | |||||
| CVE-2017-7444 | 1 Veritas | 1 System Recovery | 2019-10-02 | 9.3 HIGH | 7.8 HIGH |
| In Veritas System Recovery before 16 SP1, there is a DLL hijacking vulnerability in the patch installer if an attacker has write access to the directory from which the product is executed. | |||||
| CVE-2017-7474 | 1 Keycloak | 1 Keycloak-nodejs-auth-utils | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks. | |||||
| CVE-2017-7547 | 1 Postgresql | 1 Postgresql | 2019-10-02 | 4.0 MEDIUM | 8.8 HIGH |
| PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. | |||||
| CVE-2017-7548 | 1 Postgresql | 1 Postgresql | 2019-10-02 | 4.0 MEDIUM | 7.5 HIGH |
| PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. | |||||
| CVE-2017-7552 | 1 Redhat | 1 Mobile Application Platform | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| A flaw was discovered in the file editor of millicore, affecting versions before 3.19.0 and 4.x before 4.5.0, which allows files to be executed as well as created. An attacker could use this flaw to compromise other users or teams projects stored in source control management of the RHMAP Core installation. | |||||
| CVE-2017-7627 | 1 Smart Related Articles Project | 1 Smart Related Articles | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The "Smart related articles" extension 1.1 for Joomla! does not prevent direct requests to dialog.php (there is a missing _JEXEC check). | |||||
| CVE-2017-7647 | 1 Solarwinds | 1 Log \& Event Manager | 2019-10-02 | 6.5 MEDIUM | 8.8 HIGH |
| SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows an authenticated user to execute arbitrary commands. | |||||
| CVE-2017-7680 | 1 Apache | 1 Openmeetings | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains. | |||||
| CVE-2017-7682 | 1 Apache | 1 Openmeetings | 2019-10-02 | 6.4 MEDIUM | 8.2 HIGH |
| Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas. | |||||
| CVE-2017-7685 | 1 Apache | 1 Openmeetings | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH. | |||||
| CVE-2017-7687 | 1 Apache | 1 Mesos | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos before 1.1.3, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.0-dev might crash because the code accidentally calls inappropriate function. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable. | |||||
| CVE-2017-7688 | 1 Apache | 1 Openmeetings | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| Apache OpenMeetings 1.0.0 updates user password in insecure manner. | |||||
| CVE-2017-7766 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2019-10-02 | 4.6 MEDIUM | 7.8 HIGH |
| An attack using manipulation of "updater.ini" contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution and deletion by the Maintenance Service, which has privileged access. Note: This attack requires local system access and only affects Windows. Other operating systems are not affected. This vulnerability affects Firefox ESR < 52.2 and Firefox < 54. | |||||
| CVE-2017-7781 | 1 Mozilla | 1 Firefox | 2019-10-02 | 4.3 MEDIUM | 5.9 MEDIUM |
| An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINT_AT_INFINITY" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret. This vulnerability affects Firefox < 55. | |||||
| CVE-2017-7789 | 1 Mozilla | 1 Firefox | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection. This vulnerability affects Firefox < 55. | |||||
| CVE-2017-7790 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
| On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems. Other operating systems are not affected. This vulnerability affects Firefox < 55. | |||||
| CVE-2017-7820 | 1 Mozilla | 1 Firefox | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The "instanceof" operator can bypass the Xray wrapper mechanism. When called on web content from the browser itself or an extension the web content can provide its own result for that operator, possibly tricking the browser or extension into mishandling the element. This vulnerability affects Firefox < 56. | |||||
| CVE-2017-7822 | 1 Mozilla | 1 Firefox | 2019-10-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The AES-GCM implementation in WebCrypto API accepts 0-length IV when it should require a length of 1 according to the NIST Special Publication 800-38D specification. This might allow for the authentication key to be determined in some instances. This vulnerability affects Firefox < 56. | |||||
| CVE-2017-7830 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2019-10-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5. | |||||