Skip to main content
CVE-2017-11512 HIGH POC THREAT Act Now

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 82.9%.

Path Traversal Zoho Servicedesk
NVD
CVSS 3.0
7.5
EPSS
82.9%
Threat
5.5
CVE-2015-3933 CRITICAL POC PATCH Act Now

Multiple SQL injection vulnerabilities in inc/lib/User.class.php in MetalGenix GeniXCMS before 0.0.3-patch allow remote attackers to execute arbitrary SQL commands via the (1) email parameter or (2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Genixcms
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
2.4%
CVE-2017-16618 CRITICAL POC PATCH Act Now

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Owlmixin
NVD GitHub
CVSS 3.0
9.8
EPSS
2.0%
CVE-2017-16660 HIGH POC This Week

Cacti 1.1.27 allows remote authenticated administrators to conduct Remote Code Execution attacks by placing the Log Path under the web root, and then making a remote_agent.php request containing PHP. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Information Disclosure Cacti
NVD GitHub
CVSS 3.0
7.2
EPSS
2.6%
CVE-2017-9096 HIGH PATCH This Week

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XXE Itext
NVD
CVSS 3.0
8.8
EPSS
7.6%
CVE-2017-16616 CRITICAL PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pyanyapi
NVD GitHub
CVSS 3.0
9.8
EPSS
1.2%
CVE-2017-16615 CRITICAL PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Mlalchemy
NVD GitHub
CVSS 3.0
9.8
EPSS
0.9%
CVE-2017-16661 MEDIUM POC This Month

Cacti 1.1.27 allows remote authenticated administrators to read arbitrary files by placing the Log Path into a private directory, and then making a clog.php?filename= request, as demonstrated by. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Cacti
NVD GitHub
CVSS 3.0
4.9
EPSS
0.1%
CVE-2017-11511 HIGH This Week

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Zoho Servicedesk
NVD
CVSS 3.0
7.5
EPSS
4.1%
CVE-2017-12824 HIGH This Week

Special crafted InPage document leads to arbitrary code execution in InPage reader. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Inpage
NVD
CVSS 3.0
7.8
EPSS
0.7%
CVE-2017-16667 HIGH PATCH This Week

backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Backintime
NVD GitHub
CVSS 3.0
7.8
EPSS
0.4%
CVE-2017-16659 HIGH This Week

The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows local users to gain privileges by leveraging access to the assp user account to install a Trojan horse /usr/share/assp/assp.pl. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Anti Spam Smtp Proxy
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2017-15865 HIGH This Week

bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in Cumulus Linux before 3.4.3 and other products, allows remote attackers to obtain sensitive information via a malformed BGP UPDATE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Frrouting
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2017-15087 HIGH This Week

It was discovered that the fix for CVE-2017-12163 was not properly shipped in erratum RHSA-2017:2858 for Red Hat Gluster Storage 3.3 for RHEL 6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Gluster Storage
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-15086 HIGH This Week

It was discovered that the fix for CVE-2017-12151 was not properly shipped in erratum RHSA-2017:2858 for Red Hat Gluster Storage 3.3 for RHEL 6. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Red Hat Information Disclosure Gluster Storage
NVD
CVSS 3.0
7.4
EPSS
0.3%
CVE-2017-16665 MEDIUM This Month

RemObjects Remoting SDK 9 1.0.0.0 for Delphi is vulnerable to a reflected Cross Site Scripting (XSS) attack via the service parameter to the /soap URI, triggering an invalid attempt to generate WSDL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Remoting Sdk 9
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-14360 MEDIUM This Month

A potential security vulnerability has been identified in HPE Content Manager Workgroup Service v9.00. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Denial Of Service Content Manager
NVD
CVSS 3.0
5.9
EPSS
0.5%
CVE-2017-15085 MEDIUM This Month

It was discovered that the fix for CVE-2017-12150 was not properly shipped in erratum RHSA-2017:2858 for Red Hat Gluster Storage 3.3 for RHEL 6. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Red Hat Information Disclosure Gluster Storage
NVD
CVSS 3.0
5.9
EPSS
0.3%
CVE-2017-16663 MEDIUM This Month

In sam2p 0.49.4, there are integer overflows (with resultant heap-based buffer overflows) in input-bmp.ci in the function ReadImage, because "width * height" multiplications occur unsafely. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Sam2P
NVD GitHub
CVSS 3.0
5.5
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy