Skip to main content
CVE-2017-1000170 HIGH POC THREAT Act Now

jqueryFileTree 2.1.5 and older Directory Traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 90.0%.

Path Traversal Jqueryfiletree
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
90.0%
Threat
5.7
CVE-2017-16877 HIGH POC PATCH THREAT Act Now

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.8%.

Path Traversal Next.js
NVD GitHub
CVSS 3.0
7.5
EPSS
80.8%
Threat
5.4
CVE-2017-6168 HIGH POC THREAT Act Now

On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) a virtual server configured with a Client SSL profile may. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 76.2%.

Information Disclosure Big Ip Ltm Big Ip Application Acceleration Manager Big Ip Afm Big Ip Analytics +5
NVD
CVSS 3.0
7.4
EPSS
76.2%
Threat
5.3
CVE-2017-1000220 CRITICAL POC PATCH THREAT Act Now

soyuka/pidusage <=1.1.4 is vulnerable to command injection in the module resulting in arbitrary command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.8%.

Command Injection Pidusage
NVD
CVSS 3.0
9.8
EPSS
11.8%
CVE-2017-1000228 CRITICAL POC PATCH Act Now

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Ejs
NVD
CVSS 3.0
9.8
EPSS
7.2%
CVE-2017-1000219 CRITICAL POC PATCH Act Now

npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Microsoft Command Injection RCE Windows Cpu
NVD
CVSS 3.0
9.8
EPSS
3.3%
CVE-2017-1000218 CRITICAL POC Act Now

LightFTP version 1.1 is vulnerable to a buffer overflow in the "writelogentry" function resulting a denial of services or a remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Lightftp
NVD GitHub
CVSS 3.0
9.8
EPSS
2.3%
CVE-2017-1000172 CRITICAL POC Act Now

Creolabs Gravity Version: 1.0 Use-After-Free Possible code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Use After Free RCE Gravity
NVD GitHub
CVSS 3.0
9.8
EPSS
1.1%
CVE-2017-1000173 CRITICAL POC Act Now

Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Information Disclosure Gravity
NVD GitHub
CVSS 3.0
9.8
EPSS
1.1%
CVE-2017-1000232 CRITICAL POC Act Now

A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecified impact and attack vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Ldns
NVD
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-1000237 CRITICAL POC Act Now

I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side Request Forgery in the ajaxsupplement.php resulting in the attacker being able to reset any user's password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF I Librarian
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2017-1000235 CRITICAL POC Act Now

I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command Injection in batchimport.php resulting the web server being fully compromised. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection I Librarian
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2017-1000190 CRITICAL POC PATCH Act Now

SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE Information Disclosure SSRF Solr Simplexml
NVD GitHub
CVSS 3.1
9.1
EPSS
4.7%
CVE-2017-1000238 HIGH POC This Week

InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload resulting in an authenticated user can upload a malicious file to the webserver. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Invoiceplane
NVD
CVSS 3.0
8.8
EPSS
0.6%
CVE-2017-16871 HIGH POC This Week

The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE WordPress Code Injection PHP Updraftplus
NVD GitHub
CVSS 3.0
8.1
EPSS
1.1%
CVE-2017-16870 HIGH POC This Week

The UpdraftPlus plugin through 1.13.12 for WordPress has SSRF in the updraft_ajax_handler function in /wp-content/plugins/updraftplus/admin.php via an httpget subaction. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SSRF WordPress PHP Updraftplus
NVD GitHub
CVSS 3.0
8.1
EPSS
0.4%
CVE-2017-1000229 HIGH POC This Week

Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 allows an attacker to remotely execute code or cause denial of service. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Denial Of Service Optipng Debian Linux
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2017-1000125 HIGH POC This Week

Codiad(full version) is vulnerable to write anything to configure file in the installation resulting upload a webshell. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Codiad
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2017-1000215 CRITICAL PATCH Act Now

ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Command Injection Xrootd
NVD GitHub
CVSS 3.0
9.8
EPSS
7.1%
CVE-2017-1000221 MEDIUM POC PATCH This Month

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Opencast
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-1000224 MEDIUM POC This Month

CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Youtube
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-1000158 CRITICAL PATCH Act Now

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow RCE Python Buffer Overflow Debian Linux
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2017-1000169 CRITICAL Act Now

QuickerBB version <= 0.7.2 is vulnerable to arbitrary file writes which can lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Quickerbb
NVD GitHub
CVSS 3.0
9.8
EPSS
3.4%
CVE-2017-1000163 MEDIUM POC This Month

The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Phoenix
NVD
CVSS 3.0
6.1
EPSS
1.8%
CVE-2017-16845 CRITICAL PATCH Act Now

hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Qemu Debian Linux Ubuntu Linux
NVD
CVSS 3.1
10.0
EPSS
2.1%
CVE-2017-1000225 MEDIUM POC This Month

Reflected XSS in Relevanssi Premium version 1.14.8 when using relevanssi_didyoumean() could allow unauthenticated attacker to do almost anything an admin can. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Relevanssi
NVD
CVSS 3.0
6.1
EPSS
0.6%
CVE-2017-1000212 CRITICAL Act Now

Elixir's vim plugin, alchemist.vim is vulnerable to remote code execution in the bundled alchemist-server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Alchemist Server
NVD GitHub
CVSS 3.0
9.8
EPSS
1.9%
CVE-2017-1000236 MEDIUM POC This Month

I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cross-Site Scripting in the temp.php resulting in an attacker being able to inject malicious client side scripting which will be executed. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS I Librarian
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2017-16566 CRITICAL Act Now

On Jooan IP Camera A5 2.3.36 devices, an insecure FTP server does not require authentication, which allows remote attackers to read or replace core system files including those used for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jooan A5 Ip Camera Firmware
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2017-1000196 CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection PHP October
NVD GitHub
CVSS 3.0
9.8
EPSS
1.1%
CVE-2017-16872 CRITICAL Act Now

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Pjsip Debian Linux
NVD
CVSS 3.0
9.8
EPSS
0.9%
CVE-2017-1000210 CRITICAL PATCH Act Now

picoTCP (versions 1.7.0 - 1.5.0) is vulnerable to stack buffer overflow resulting in code execution or denial of service attack. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow RCE Denial Of Service Picotcp
NVD GitHub
CVSS 3.0
9.8
EPSS
0.8%
CVE-2017-1000206 CRITICAL Act Now

samtools htslib library version 1.4.0 and earlier is vulnerable to buffer overflow in the CRAM rANS codec resulting in potential arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Htslib
NVD GitHub
CVSS 3.0
9.8
EPSS
0.6%
CVE-2017-1000231 CRITICAL PATCH Act Now

A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified impact and attack vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Ldns
NVD
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-1000248 CRITICAL PATCH Act Now

Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Redis Redis Store
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-1000197 CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating malicious files on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure October
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-1000194 CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Apache File Upload October
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-1000192 CRITICAL Act Now

Cygnux sysPass version 2.1.7 and older is vulnerable to a Local File Inclusion in the functionality of javascript files inclusion. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Syspass
NVD GitHub
CVSS 3.0
9.8
EPSS
0.2%
CVE-2017-16819 MEDIUM POC This Month

A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Rtc 1000 Firmware
NVD Exploit-DB
CVSS 3.0
5.4
EPSS
1.1%
CVE-2017-1000164 MEDIUM POC This Month

Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook resulting code execution and privilege escalation. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS RCE Privilege Escalation Tine 2 0
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-1000239 MEDIUM POC This Month

InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Invoiceplane
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-1000227 MEDIUM POC This Month

Stored XSS in Salutation Responsive WordPress + BuddyPress Theme version 3.0.15 could allow logged-in users to do almost anything an admin can. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Salutation
NVD
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-1000226 MEDIUM POC This Month

Stop User Enumeration 1.3.8 allows user enumeration via the REST API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Stop User Enumeration
NVD
CVSS 3.0
5.3
EPSS
0.4%
CVE-2017-1000234 MEDIUM POC This Month

I, Librarian version <=4.6 & 4.7 is vulnerable to Directory Enumeration in the jqueryFileTree.php resulting in attacker enumerating directories simply by navigating through the "dir" parameter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure I Librarian
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2017-1000203 HIGH PATCH This Week

ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

RCE Command Injection Root
NVD GitHub
CVSS 3.0
8.8
EPSS
2.2%
CVE-2017-1000217 HIGH PATCH This Week

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Opencast
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-1000208 HIGH PATCH This Week

A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Swagger Codegen Swagger Parser
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2017-4934 HIGH PATCH This Week

VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 8.5.9) contain a heap buffer-overflow vulnerability in VMNAT device. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow VMware Workstation Fusion
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-1000241 HIGH This Week

The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Openemr
NVD
CVSS 3.0
8.1
EPSS
0.6%
CVE-2017-16869 HIGH This Week

p_mach.cpp in UPX 3.94 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted Mach-O file, related. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Upx
NVD GitHub
CVSS 3.0
7.8
EPSS
0.3%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy