Skip to main content
CVE-2017-11317 CRITICAL POC KEV THREAT Emergency

Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

RCE
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
91.8%
Threat
7.7
CVE-2017-11357 CRITICAL POC KEV THREAT Emergency

Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

RCE File Upload
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
93.9%
Threat
7.8
CVE-2017-11610 HIGH POC PATCH THREAT Act Now

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 93.8%.

Privilege Escalation Supervisor Fedora Debian Linux Cloudforms
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
93.8%
Threat
6.1
CVE-2017-12965 CRITICAL POC THREAT Emergency

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 22.2%.

Session Fixation Information Disclosure Apache2Triad
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
22.2%
Threat
4.1
CVE-2017-9506 MEDIUM POC THREAT This Month

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.0%.

XSS SSRF Atlassian Oauth
NVD
CVSS 3.0
6.1
EPSS
29.0%
CVE-2017-13137 CRITICAL POC Act Now

The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in the id parameter to form.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi PHP Formcraft
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2017-12970 HIGH POC This Week

Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack the authentication of authenticated users for requests that (1) add or (2) delete user accounts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Apache2Triad
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
0.2%
CVE-2017-13130 HIGH POC This Week

mcmnm in BMC Patrol allows local users to gain privileges via a crafted libmcmclnx.so file in the current working directory, because it is setuid root and the RPATH variable begins with the .:. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Patrol
NVD GitHub
CVSS 3.0
7.8
EPSS
0.1%
CVE-2017-12971 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows remote attackers to inject arbitrary web script or HTML via the account parameter to phpsftpd/users.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Apache2Triad
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
2.9%
CVE-2015-5224 CRITICAL PATCH Act Now

The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Util Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
4.1%
CVE-2017-13648 MEDIUM POC This Month

In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Graphicsmagick
NVD
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-13140 MEDIUM POC This Month

In ImageMagick before 6.9.9-1 and 7.x before 7.0.6-2, the ReadOnePNGImage function in coders/png.c allows remote attackers to cause a denial of service (application hang in LockSemaphoreInfo) via a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-13138 MEDIUM POC This Month

DOM based Cross-site scripting (XSS) vulnerability in the Bridge theme before 11.2 for WordPress allows remote attackers to inject arbitrary JavaScript. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Bridge
NVD
CVSS 3.0
6.1
EPSS
0.6%
CVE-2017-13139 CRITICAL PATCH Act Now

In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Information Disclosure Imagemagick Debian Linux Ubuntu Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
1.4%
CVE-2017-12858 CRITICAL PATCH Act Now

Double free vulnerability in the _zip_dirent_read function in zip_dirent.c in libzip allows attackers to have unspecified impact via unknown vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Libzip
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2017-12791 CRITICAL PATCH GHSA Act Now

Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Salt
NVD GitHub
CVSS 3.0
9.8
EPSS
0.9%
CVE-2017-12904 HIGH PATCH This Week

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Nosql Injection Command Injection Newsbeuter Debian Linux
NVD GitHub
CVSS 3.0
8.8
EPSS
2.3%
CVE-2017-13146 HIGH PATCH This Week

In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memory leak in the ReadMATImage function in coders/mat.c. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2017-13147 HIGH PATCH This Week

In GraphicsMagick 1.3.26, an allocation failure vulnerability was found in the function ReadMNGImage in coders/png.c when a small MNG file has a MEND chunk with a large length value. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Graphicsmagick
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-12844 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mail Server
NVD
CVSS 3.0
4.8
EPSS
0.2%
CVE-2017-11159 HIGH This Week

Multiple untrusted search path vulnerabilities in installer in Synology Photo Station Uploader before 1.4.2-084 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Synology Microsoft Photo Station Uploader
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2017-13143 HIGH PATCH This Week

In ImageMagick before 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage function in coders/mat.c uses uninitialized data, which might allow remote attackers to obtain sensitive information from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-13145 MEDIUM PATCH This Month

In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image function in coders/jp2.c does not properly validate the channel geometry, leading to a crash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Imagemagick Debian Linux Ubuntu Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
CVE-2017-13134 MEDIUM PATCH This Month

In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Denial Of Service Information Disclosure Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.8%
CVE-2017-13133 MEDIUM PATCH This Month

In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks offset validation, which allows attackers to cause a denial of service (load_tile memory exhaustion) via a crafted file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-13141 MEDIUM PATCH This Month

In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a crafted file could trigger a memory leak in ReadOnePNGImage in coders/png.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-13131 MEDIUM PATCH This Month

In ImageMagick 7.0.6-8, a memory leak vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (memory consumption in NewLinkedList. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-13142 MEDIUM PATCH This Month

In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-13132 MEDIUM PATCH This Month

In ImageMagick 7.0.6-8, the WritePDFImage function in coders/pdf.c operates on an incorrect data structure in the "dump uncompressed PseudoColor packets" step, which allows attackers to cause a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Imagemagick
NVD GitHub
CVSS 3.0
6.5
EPSS
0.3%
CVE-2017-13144 MEDIUM PATCH This Month

In ImageMagick before 6.9.7-10, there is a crash (rather than a "width or height exceeds limit" error report) if the image dimensions are too large, as demonstrated by use of the mpc coder. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Imagemagick
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-12809 MEDIUM PATCH This Month

QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity.

Null Pointer Dereference Denial Of Service Qemu Debian Linux
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2017-12847 MEDIUM PATCH This Month

Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this. Rated medium severity (CVSS 6.3).

Information Disclosure Nagios
NVD GitHub
CVSS 3.0
6.3
EPSS
0.0%
CVE-2017-13649 MEDIUM This Month

UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Unrealircd
NVD
CVSS 3.0
5.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy