Total
3952 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-1000052 | 1 Plug Project | 1 Plug | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
| Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to null byte injection in the Plug.Static component, which may allow users to bypass filetype restrictions. | |||||
| CVE-2017-15708 | 2 Apache, Oracle | 3 Synapse, Financial Services Market Risk Measurement And Management, Peoplesoft Enterprise Peopletools | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. | |||||
| CVE-2017-17511 | 2 Debian, Kildclient | 2 Debian Linux, Kildclient | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| KildClient 3.1.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to prefs.c and worldgui.c. | |||||
| CVE-2017-7239 | 1 Ninka Project | 1 Ninka | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Ninka before 1.3.2 might allow remote attackers to obtain sensitive information, manipulate license compliance scan results, or cause a denial of service (process hang) via a crafted filename. | |||||
| CVE-2017-2140 | 1 Gaku | 1 Tablacus Explorer | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Tablacus Explorer 17.3.30 and earlier allows arbitrary scripts to be executed in the context of the application due to specially crafted directory. | |||||
| CVE-2017-17532 | 1 Kiwi Project | 1 Kiwi | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17529 | 1 Abisource | 1 Abiword | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17524 | 1 Swi-prolog | 1 Swi-prolog | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-17526 | 1 Giac Project | 1 Giac | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2016-2980 | 1 Ibm | 1 Sametime | 2025-04-20 | 6.8 MEDIUM | 6.3 MEDIUM |
| The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exploiting a vulnerability in the way that the WebPlayer works. IBM X-Force ID: 113993. | |||||
| CVE-2017-14397 | 2 Anydesk, Microsoft | 2 Anydesk, Windows | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. | |||||
| CVE-2015-4075 | 1 Helpdeskpro | 1 Helpdesk Pro | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task. | |||||
| CVE-2017-17512 | 1 Sensible-utils Project | 1 Sensible-utils | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| sensible-browser in sensible-utils before 0.0.11 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument. | |||||
| CVE-2013-4578 | 1 Oracle | 2 Jdk, Jre | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation. | |||||
| CVE-2017-0154 | 1 Microsoft | 3 Internet Explorer, Windows 10, Windows Server 2016 | 2025-04-20 | 5.8 MEDIUM | 4.4 MEDIUM |
| Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windows Server 2016 does not enforce cross-domain policies, allowing attackers to access information from one domain and inject it into another via a crafted application, aka, "Internet Explorer Elevation of Privilege Vulnerability." | |||||
| CVE-2017-17517 | 1 Sylpheed Project | 1 Sylpheed | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | |||||
| CVE-2017-9135 | 1 Mimosa | 2 Backhaul Radios, Client Radios | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimosa Backhaul Radios before 2.2.4. On the backend of the device's web interface, there are some diagnostic tests available that are not displayed on the webpage; these are only accessible by crafting a POST request with a program like cURL. There is one test accessible via cURL that does not properly sanitize user input, allowing an attacker to execute shell commands as the root user. | |||||
| CVE-2024-34448 | 1 Ghost | 1 Ghost | 2025-04-18 | N/A | 8.8 HIGH |
| Ghost before 5.82.0 allows CSV Injection during a member CSV export. | |||||
| CVE-2025-0950 | 1 Angeljudesuarez | 1 Tailoring Management System | 2025-04-18 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in itsourcecode Tailoring Management System 1.0 and classified as critical. This issue affects some unknown processing of the file staffview.php. The manipulation of the argument staffid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-46986 | 1 Tuzitio | 1 Camaleon Cms | 2025-04-17 | N/A | 9.9 CRITICAL |
| Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||