Total
1595 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-16680 | 1 Sap | 1 Hana Extended Application Services | 2024-11-21 | N/A |
| Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. Hence the interpretation of audit log files could be hindered or misdirected. 2) User Account and Authentication writes audit logs into syslog and additionally writes the same audit entries into a log file. Entries in the log file miss escaping. Hence the interpretation of audit log files could be hindered or misdirected, while the entries in syslog are correct. | ||||
| CVE-2017-16043 | 1 Shout Project | 1 Shout | 2024-11-21 | 6.1 Medium |
| Shout is an IRC client. Because the `/topic` command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser. Affects shout >=0.44.0 <=0.49.3. | ||||
| CVE-2017-15714 | 1 Apache | 1 Ofbiz | 2024-11-21 | N/A |
| The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert window would execute. | ||||
| CVE-2017-15708 | 2 Apache, Oracle | 3 Synapse, Financial Services Market Risk Measurement And Management, Peoplesoft Enterprise Peopletools | 2024-11-21 | 9.8 Critical |
| In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. | ||||
| CVE-2017-15313 | 1 Huawei | 1 Smartcare | 2024-11-21 | N/A |
| Huawei SmartCare V200R003C10 has a CSV injection vulnerability. An remote authenticated attacker could inject malicious CSV expression to the affected device. | ||||
| CVE-2017-14523 | 1 Wondercms | 1 Wondercms | 2024-11-21 | N/A |
| WonderCMS 2.3.1 is vulnerable to an HTTP Host header injection attack. It uses user-entered values to redirect pages. NOTE: the vendor reports that exploitation is unlikely because the attack can only come from a local machine or from the administrator as a self attack | ||||
| CVE-2017-14397 | 2 Anydesk, Microsoft | 2 Anydesk, Windows | 2024-11-21 | N/A |
| AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. | ||||
| CVE-2017-14094 | 1 Trendmicro | 1 Smart Protection Server | 2024-11-21 | N/A |
| A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system. | ||||
| CVE-2017-10963 | 1 Samsung | 2 Knox Enterprise Mobility Management, Knox Identity Access Management | 2024-11-21 | N/A |
| In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobility Management) 16.11 on Samsung mobile devices, a man-in-the-middle attacker can install any application into the Knox container (without the user's knowledge) by inspecting network traffic from a Samsung server and injecting content at a certain point in the update sequence. This installed application can further leak information stored inside the Knox container to the outside world. | ||||
| CVE-2017-1000493 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | N/A |
| Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover | ||||
| CVE-2017-1000454 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | N/A |
| CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1 | ||||
| CVE-2017-1000453 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-11-21 | N/A |
| CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution. | ||||
| CVE-2017-1000217 | 1 Opencast | 1 Opencast | 2024-11-21 | N/A |
| Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0. | ||||
| CVE-2017-1000052 | 1 Plug Project | 1 Plug | 2024-11-21 | 7.8 High |
| Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to null byte injection in the Plug.Static component, which may allow users to bypass filetype restrictions. | ||||
| CVE-2017-0372 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities. | ||||
| CVE-2017-0154 | 1 Microsoft | 3 Internet Explorer, Windows 10, Windows Server 2016 | 2024-11-21 | N/A |
| Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windows Server 2016 does not enforce cross-domain policies, allowing attackers to access information from one domain and inject it into another via a crafted application, aka, "Internet Explorer Elevation of Privilege Vulnerability." | ||||
| CVE-2016-9832 | 1 Pwc | 1 Ace-advanced Business Application Programming | 2024-11-21 | N/A |
| PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report. | ||||
| CVE-2016-8901 | 1 B2evolution | 1 B2evolution | 2024-11-21 | N/A |
| b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php. | ||||
| CVE-2016-8900 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags. | ||||
| CVE-2016-8899 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats. | ||||