Skip to main content
CVE-2017-17968 CRITICAL POC THREAT Emergency

A buffer overflow vulnerability in NetTransport.exe in NetTransport Download Manager 2.96L and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long HTTP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 54.6%.

Buffer Overflow RCE Nettransport Download Manager
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
54.6%
Threat
5.1
CVE-2015-3302 HIGH POC THREAT Act Now

The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 20.6%.

WordPress Authentication Bypass Thecartpress Ecommerce Shopping Cart
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
20.6%
CVE-2017-17974 CRITICAL POC Act Now

BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPserv 00002, and Script 02.*) and ISC2000 devices allows remote attackers to obtain sensitive information via a request for. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Bas920 Firmware Isc2000 Firmware
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-17973 HIGH POC This Week

In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Use After Free Information Disclosure Libtiff
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2017-17917 HIGH POC This Week

SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Rails
NVD
CVSS 3.1
8.1
EPSS
1.8%
CVE-2017-17916 HIGH POC This Week

SQL injection vulnerability in the 'find_by' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Rails
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2017-17919 HIGH POC This Week

SQL injection vulnerability in the 'order' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id desc' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Ruby On Rails
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2017-17920 HIGH POC This Week

SQL injection vulnerability in the 'reorder' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'name' parameter. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

SQLi Ruby On Rails
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2017-17901 HIGH POC This Week

ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Zyxel P 660Hw Firmware
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2014-9515 CRITICAL Act Now

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Dozer
NVD GitHub
CVSS 3.1
9.8
EPSS
5.4%
CVE-2014-4914 CRITICAL Act Now

The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Zend Framework Debian Linux
NVD
CVSS 3.0
9.8
EPSS
3.4%
CVE-2017-17933 MEDIUM POC This Month

cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or 9021) in NetWin SurgeFTP version 23f2 has XSS via the classid, domainid, or username parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Surgeftp
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2017-17971 MEDIUM POC PATCH This Month

The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Dolibarr Erp Crm
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2014-0121 CRITICAL PATCH Act Now

The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Hawtio Jboss Fuse
NVD GitHub
CVSS 3.0
9.8
EPSS
1.5%
CVE-2014-3630 CRITICAL Act Now

XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE Java Play Framework
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2014-0120 HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Hawtio Jboss Fuse
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2014-8119 HIGH This Week

The find_ifcfg_path function in netcf before 0.2.7 might allow attackers to cause a denial of service (application crash) via vectors involving augeas path expressions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Fedora Enterprise Linux Netcf
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2014-3651 HIGH PATCH This Week

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Keycloak
NVD
CVSS 3.0
7.5
EPSS
0.8%
CVE-2015-8008 HIGH PATCH This Week

The OAuth extension for MediaWiki improperly negotiates a new client token only over Special:OAuth/initiate, which allows attackers to bypass intended IP address access restrictions by making an API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Mediawiki Fedora
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2013-7400 HIGH PATCH This Week

The Direct Mail (direct_mail) extension before 3.1.2 for TYPO3 allows remote attackers to obtain sensitive information by leveraging improper checking of authentication codes. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Direct Mail
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2017-17760 MEDIUM PATCH This Month

OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData function in grfmt_pxm.cpp, because an incorrect size value is used. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Opencv Debian Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2017-17910 MEDIUM This Month

On Hoermann BiSecur devices before 2018, a vulnerability can be exploited by recording a single radio transmission. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Hs5 868 Bs Firmware Hse2 868 Bs Firmware Hse1 868 Bs Firmware
NVD
CVSS 3.0
6.5
EPSS
0.1%
CVE-2017-16876 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the _keyify function in mistune.py in Mistune before 0.8.1 allows remote attackers to inject arbitrary web script or HTML by leveraging failure to escape. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Mistune Fedora
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2016-3695 MEDIUM PATCH This Month

The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Denial Of Service Linux Linux Kernel Enterprise Linux
NVD GitHub
CVSS 3.0
5.5
EPSS
0.1%
CVE-2014-4978 MEDIUM PATCH This Month

The rs_filter_graph function in librawstudio/rs-filter.c in rawstudio might allow local users to truncate arbitrary files via a symlink attack on (1) /tmp/rs-filter-graph.png or (2). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Rawstudio Fedora
NVD GitHub
CVSS 3.0
5.5
EPSS
0.0%
CVE-2013-4578 MEDIUM PATCH This Month

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Java Oracle Jdk Jre
NVD
CVSS 3.0
5.3
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy