Skip to main content
CVE-2017-8835 CRITICAL POC PATCH THREAT Act Now

SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 63.8%.

SQLi B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
63.8%
Threat
5.4
CVE-2017-9430 CRITICAL POC THREAT Emergency

Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.7%.

Buffer Overflow Denial Of Service Dnstracer
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
14.7%
CVE-2017-8837 CRITICAL POC PATCH THREAT Act Now

Cleartext password storage exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.0%.

Information Disclosure B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
11.0%
CVE-2017-1000367 MEDIUM POC THREAT This Month

Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. Rated medium severity (CVSS 6.4). Public exploit code available and EPSS exploitation probability 19.9%.

Race Condition Information Disclosure Sudo
NVD Exploit-DB
CVSS 3.0
6.4
EPSS
19.9%
CVE-2017-9442 HIGH POC This Week

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
2.1%
CVE-2017-8841 HIGH POC This Week

Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
8.1
EPSS
4.5%
CVE-2017-8836 HIGH POC This Week

CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
0.6%
CVE-2017-9443 HIGH POC This Week

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2017-8839 MEDIUM POC This Month

XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
2.0%
CVE-2017-8838 MEDIUM POC PATCH This Month

XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
2.0%
CVE-2017-8840 MEDIUM POC PATCH This Month

Debug information disclosure exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devices with firmware before fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure B305Hw2 Firmware 380Hw6 Firmware 580Hw2 Firmware 710Hw3 Firmware +2
NVD Exploit-DB
CVSS 3.0
5.3
EPSS
3.8%
CVE-2017-9432 CRITICAL PATCH Act Now

Document Liberation Project libstaroffice before 2017-04-07 has an out-of-bounds write caused by a stack-based buffer overflow related to the DatabaseName::read function in lib/StarWriterStruct.cxx. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Memory Corruption Libstaroffice
NVD GitHub
CVSS 3.0
9.8
EPSS
0.8%
CVE-2017-9431 CRITICAL PATCH Act Now

Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Memory Corruption Google Grpc
NVD GitHub
CVSS 3.0
9.8
EPSS
0.8%
CVE-2017-9433 CRITICAL PATCH Act Now

Document Liberation Project libmwaw before 2017-04-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the MsWrd1Parser::readFootnoteCorrespondance function in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Libmwaw
NVD
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-9435 CRITICAL PATCH Act Now

Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-9436 CRITICAL PATCH Act Now

TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Teampass
NVD GitHub
CVSS 3.0
9.8
EPSS
0.2%
CVE-2017-8438 HIGH PATCH This Week

Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation X Pack
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-9437 HIGH This Week

Openbravo Business Suite 3.0 is affected by SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Openbravo Erp
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-9444 HIGH PATCH This Week

BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages),. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-1000368 HIGH This Week

Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Sudo
NVD
CVSS 3.0
8.2
EPSS
0.1%
CVE-2017-9438 HIGH PATCH This Week

libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Yara
NVD GitHub
CVSS 3.0
7.5
EPSS
0.6%
CVE-2017-7669 HIGH PATCH This Week

In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable.

Docker Apache Information Disclosure Hadoop
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-9440 MEDIUM This Month

In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-9439 MEDIUM This Month

In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-9420 MEDIUM This Month

Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Spiffy Calendar
NVD
CVSS 3.0
6.1
EPSS
0.4%
CVE-2017-8440 MEDIUM This Month

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-8439 MEDIUM This Month

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-9434 MEDIUM This Month

Crypto++ (aka cryptopp) through 5.6.5 contains an out-of-bounds read vulnerability in zinflate.cpp in the Inflator filter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Crypto
NVD GitHub
CVSS 3.0
5.3
EPSS
0.5%
CVE-2017-8441 MEDIUM This Month

Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-9441 LOW PATCH Monitor

Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy