ReportizFlow
Filtered by vendor
Subscriptions
Total
322798 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-1000505 | 1 Jenkins | 1 Script Security | 2024-11-21 | N/A |
| In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval. | ||||
| CVE-2017-1000504 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier startup could result in the wrong order of execution of commands during initialization. There is a very short window of time after startup during which Jenkins may no longer show the 'Please wait while Jenkins is getting ready to work' message but Cross-Site Request Forgery (CSRF) protection may not yet be effective. | ||||
| CVE-2017-1000503 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 startup could result in the wrong order of execution of commands during initialization. This could in rare cases result in failure to initialize the setup wizard on the first startup. This resulted in multiple security-related settings not being set to their usual strict default. | ||||
| CVE-2017-1000502 | 1 Jenkins | 1 Ec2 | 2024-11-21 | N/A |
| Users with permission to create or configure agents in Jenkins 1.37 and earlier could configure an EC2 agent to run arbitrary shell commands on the master node whenever the agent was supposed to be launched. Configuration of these agents now requires the 'Run Scripts' permission typically only granted to administrators. | ||||
| CVE-2017-1000501 | 2 Awstats, Debian | 2 Awstats, Debian Linux | 2024-11-21 | N/A |
| Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. | ||||
| CVE-2017-1000499 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-11-21 | N/A |
| phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc. | ||||
| CVE-2017-1000498 | 1 Androidsvg Project | 1 Androidsvg | 2024-11-21 | 7.8 High |
| AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsing component resulting in denial of service and possibly remote code execution | ||||
| CVE-2017-1000497 | 1 Pepperminty-wiki Project | 1 Pepperminty-wiki | 2024-11-21 | 9.8 Critical |
| Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the getsvgsize function resulting in denial of service and possibly remote code execution | ||||
| CVE-2017-1000496 | 1 Commsy | 1 Commsy | 2024-11-21 | N/A |
| Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code. | ||||
| CVE-2017-1000495 | 1 Quickappscms | 1 Quickapps Cms | 2024-11-21 | N/A |
| QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripting in the user's real name field resulting in denial of service and performing unauthorised actions with an administrator user's account | ||||
| CVE-2017-1000494 | 1 Miniupnp Project | 1 Miniupnpd | 2024-11-21 | N/A |
| Uninitialized stack variable vulnerability in NameValueParserEndElt (upnpreplyparse.c) in miniupnpd < 2.0 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impact | ||||
| CVE-2017-1000493 | 1 Rocket.chat | 1 Rocket.chat | 2024-11-21 | N/A |
| Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover | ||||
| CVE-2017-1000492 | 1 Leanote | 1 Desktop | 2024-11-21 | N/A |
| Leanote-desktop version v2.5 is vulnerable to a XSS which leads to code execution due to enabled node integration | ||||
| CVE-2017-1000491 | 1 Shiba Project | 1 Shiba | 2024-11-21 | N/A |
| Shiba markdown live preview app version 1.1.0 is vulnerable to XSS which leads to code execution due to enabled node integration. | ||||
| CVE-2017-1000490 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | N/A |
| Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to. | ||||
| CVE-2017-1000489 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | N/A |
| Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address | ||||
| CVE-2017-1000488 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-11-21 | N/A |
| Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. | ||||
| CVE-2017-1000487 | 3 Codehaus-plexus, Debian, Redhat | 4 Plexus-utils, Debian Linux, Jboss Amq and 1 more | 2024-11-21 | 9.8 Critical |
| Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. | ||||
| CVE-2017-1000485 | 1 Nylas Mail Lives Project | 1 Nylas Mail | 2024-11-21 | N/A |
| Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations. | ||||
| CVE-2017-1000484 | 1 Plone | 1 Plone | 2024-11-21 | N/A |
| By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.) | ||||