Skip to main content
CVE-2017-9554 MEDIUM POC THREAT This Month

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 57.9%.

Synology Information Disclosure Diskstation Manager
NVD Exploit-DB
CVSS 3.0
5.3
EPSS
57.9%
Threat
4.3
CVE-2017-11585 CRITICAL POC Act Now

dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Finecms
NVD
CVSS 3.0
9.8
EPSS
1.1%
CVE-2017-11584 CRITICAL POC Act Now

dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Finecms
NVD
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-11324 CRITICAL POC Act Now

An issue was discovered in Tilde CMS 1.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Tilde Cms
NVD
CVSS 3.0
9.8
EPSS
0.2%
CVE-2017-11583 CRITICAL POC Act Now

dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Finecms
NVD
CVSS 3.0
9.8
EPSS
0.2%
CVE-2017-11582 CRITICAL POC Act Now

dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Finecms
NVD
CVSS 3.0
9.8
EPSS
0.2%
CVE-2017-11590 HIGH POC This Week

There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Libgxps
NVD
CVSS 3.0
7.5
EPSS
1.1%
CVE-2017-11592 HIGH POC This Week

There is a Mismatched Memory Management Routines vulnerability in the Exiv2::FileIo::seek function of Exiv2 0.26 that will lead to a remote denial of service attack (heap memory corruption) via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Exiv2
NVD
CVSS 3.0
7.5
EPSS
1.1%
CVE-2017-11591 HIGH POC This Week

There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Exiv2 Ubuntu Linux Debian Linux
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2017-11325 HIGH POC This Week

An issue was discovered in Tilde CMS 1.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Tilde Cms
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-11326 HIGH POC This Week

An issue was discovered in Tilde CMS 1.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Tilde Cms
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2017-11586 MEDIUM POC This Month

dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in a sync action, related to controllers/Weixin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect PHP Finecms
NVD
CVSS 3.0
6.1
EPSS
6.6%
CVE-2017-11588 CRITICAL Act Now

On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is remote command. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Command Injection Residential Gateway Firmware
NVD
CVSS 3.0
9.8
EPSS
6.3%
CVE-2017-11327 MEDIUM POC This Month

An issue was discovered in Tilde CMS 1.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Tilde Cms
NVD
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-11593 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus extension before 0.5.7 for Chrome allows remote attackers to inject arbitrary web script or HTML into some web applications via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Google Markdown Preview Plus Chrome
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-10711 MEDIUM POC This Month

In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka the Send Password Reset Email form) can insert XSS sequences via the user parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF PHP Simplerisk
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-11581 MEDIUM POC This Month

dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '<' character. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Finecms
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-11589 CRITICAL Act Now

On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is no access control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Cisco Residential Gateway Firmware
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2017-11594 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in the Markdown parser in Loomio before 1.8.0 allows remote attackers to inject arbitrary web script or HTML via non-sanitized Markdown content in a new. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Loomio
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2015-7703 HIGH This Week

The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ntp Linux Debian Linux Oncommand Performance Manager +9
NVD
CVSS 3.1
7.5
EPSS
8.1%
CVE-2017-11422 HIGH PATCH This Week

Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Information Disclosure Statamic
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2017-8036 HIGH This Week

An issue was discovered in the Cloud Controller API in Cloud Foundry Foundation CAPI-release version 1.33.0 (only). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Capi Release
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2017-11587 HIGH This Week

On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00.00.03.45.4E and DDR2201v1 ADSL2+ Residential Gateway DDR2201v1-NA-AnnexA-FCC-V00.00.03.28.3 devices, there is directory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Cisco Residential Gateway Firmware
NVD
CVSS 3.0
7.5
EPSS
0.7%
CVE-2017-9553 HIGH This Week

A design flaw in SYNO.API.Encryption in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to bypass the encryption protection mechanism via the crafted version parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Synology Authentication Bypass Diskstation Manager
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2017-1382 HIGH PATCH This Week

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create files using the default permissions instead of the customized permissions when custom startup scripts are used. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

IBM Privilege Escalation Websphere Application Server
NVD
CVSS 3.0
7.1
EPSS
0.0%
CVE-2017-11600 HIGH This Week

net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local. Rated high severity (CVSS 7.0). No vendor patch available.

Buffer Overflow Denial Of Service Linux Information Disclosure Linux Kernel
NVD
CVSS 3.1
7.0
EPSS
0.1%
CVE-2017-11608 MEDIUM This Month

There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Information Disclosure Libsass
NVD
CVSS 3.0
6.5
EPSS
1.0%
CVE-2017-11605 MEDIUM This Month

There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Information Disclosure Libsass
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-1380 MEDIUM PATCH This Month

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Websphere Application Server
NVD
CVSS 3.0
5.4
EPSS
0.4%
CVE-2016-8975 MEDIUM PATCH This Month

IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Rhapsody Design Manager
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2016-6118 MEDIUM PATCH This Month

IBM Emptoris Supplier Lifecycle Management 10.1.0.x is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Emptoris Strategic Supply Management
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-1249 MEDIUM PATCH This Month

IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Rhapsody Design Manager
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-1245 MEDIUM PATCH This Month

IBM Rational Software Architect Design Manager 5.0 and 6.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Rational Software Architect Design Manager
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-1287 MEDIUM PATCH This Month

IBM Rhapsody DM 5.0 and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Open Redirect IBM Rhapsody Design Manager
NVD
CVSS 3.0
5.4
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy