Filtered by vendor
Subscriptions
Total
4743 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-1329 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2024-11-21 | N/A |
IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 126231. | ||||
CVE-2017-1248 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2024-11-21 | N/A |
IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 124628. | ||||
CVE-2017-1242 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2024-11-21 | N/A |
IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 124524. | ||||
CVE-2017-18924 | 1 Oauth2-server Project | 1 Oauth2-server | 2024-11-21 | 7.5 High |
oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not misleading and I also therefore wouldn't describe this as a "vulnerability" with the library per se. | ||||
CVE-2017-18468 | 1 Cpanel | 1 Cpanel | 2024-11-21 | N/A |
cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232). | ||||
CVE-2017-18356 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | N/A |
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes. | ||||
CVE-2017-18113 | 1 Atlassian | 4 Data Center, Jira, Jira Data Center and 1 more | 2024-11-21 | 8.8 High |
The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. | ||||
CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2024-11-21 | N/A |
The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | ||||
CVE-2017-17098 | 1 Gps-server | 1 Gps Tracking Software | 2024-11-21 | N/A |
The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php system($_GET[cmd]); ?> in a login request. | ||||
CVE-2017-16905 | 2 Duolingo, Google | 2 Tinycards, Android | 2024-11-21 | N/A |
The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack. | ||||
CVE-2017-16670 | 1 Smartbear | 1 Soapui | 2024-11-21 | N/A |
The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file. | ||||
CVE-2017-16151 | 1 Electronjs | 1 Electron | 2024-11-21 | N/A |
Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. | ||||
CVE-2017-16100 | 1 Dns-sync Project | 1 Dns-sync | 2024-11-21 | N/A |
dns-sync is a sync/blocking dns resolver. If untrusted user input is allowed into the resolve() method then command injection is possible. | ||||
CVE-2017-16082 | 1 Node-postgres | 1 Pg | 2024-11-21 | N/A |
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. | ||||
CVE-2017-16042 | 1 Growl Project | 1 Growl | 2024-11-21 | N/A |
Growl adds growl notification support to nodejs. Growl before 1.10.2 does not properly sanitize input before passing it to exec, allowing for arbitrary command execution. | ||||
CVE-2017-16020 | 1 Summit Project | 1 Summit | 2024-11-21 | 9.8 Critical |
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name. | ||||
CVE-2017-14853 | 1 Orpak | 1 Siteomat | 2024-11-21 | N/A |
The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run shell commands and receive valid output from the device. | ||||
CVE-2017-1002152 | 1 Redhat | 1 Bodhi | 2024-11-21 | 6.1 Medium |
Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles. | ||||
CVE-2017-1000480 | 1 Smarty | 1 Smarty | 2024-11-21 | N/A |
Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | ||||
CVE-2016-9651 | 2 Google, Redhat | 5 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 2 more | 2024-11-21 | N/A |
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. |