Total
29914 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17688 | 11 Apple, Bloop, Emclient and 8 more | 11 Mail, Airmail, Emclient and 8 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| ** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification. | |||||
| CVE-2017-17327 | 1 Huawei | 2 Mha-al00a, Mha-al00a Firmware | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Huawei smartphones with software of MHA-AL00AC00B125 have an improper resource management vulnerability. The software does not properly manage the resource when do device register operation. An attacker tricks the user who has root privilege to install a crafted application, successful exploit could cause certain service unavailable. | |||||
| CVE-2017-17326 | 1 Huawei | 2 Mate 9 Pro, Mate 9 Pro Fimware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Huawei Mate 9 Pro Smartphones with software of LON-AL00BC00B139D; LON-AL00BC00B229 have an activation lock bypass vulnerability. The smartphone is supposed to be activated by the former account after reset if find my phone function is on. The software does not have a sufficient protection of activation lock. Successful exploit could allow an attacker to bypass the activation lock and activate the smartphone by a new account after a series of operation. | |||||
| CVE-2017-17325 | 1 Huawei | 1 Hicinema | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
| Huawei video applications HiCinema with software of 8.0.3.308; 8.0.4.300 have a permission control vulnerability. Due to improper verification of specific interface, an attacker who is on the same network with the user can obtain some information through a man-in-the-middle attack. | |||||
| CVE-2017-17284 | 1 Huawei | 12 Dp300, Dp300 Firmware, Rp200 and 9 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C01, V100R001C10, V500R002C00, V600R006C00 have a resource management error vulnerability. A remote attacker may send huge number of specially crafted SIP messages to the affected products. Due to improper handling of some value in the messages, successful exploit will cause some services abnormal. | |||||
| CVE-2017-17279 | 1 Huawei | 2 Mate 9 Pro, Mate 9 Pro Firmware | 2024-11-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| The soundtrigger module in Huawei Mate 9 Pro smart phones with software of the versions before LON-AL00B 8.0.0.343(C00) has an authentication bypass vulnerability due to the improper design of the module. An attacker tricks a user into installing a malicious application, and the application can exploit the vulnerability and make attacker bypass the authentication, the attacker can control the phone to sent short messages and make call within audio range to the phone. | |||||
| CVE-2017-17149 | 1 Huawei | 1 Hiwallet | 2024-11-21 | 2.1 LOW | 3.9 LOW |
| Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lock pattern change vulnerability. It needs to verify the user's Huawei ID during lock pattern change. An attacker with root privilege who gets a user's smart phone may bypass Huawei ID verification by special operation. Successful exploit of this vulnerability can allow an attacker to change the lock pattern of HiWallet. | |||||
| CVE-2017-17145 | 1 Huawei | 2 Honor V9 Play, Honor V9 Play Firmware | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
| Huawei Honor V9 Play smart phones with the versions before Jimmy-AL00AC00B135 have an authentication bypass vulnerability due to the improper design of a component. An attacker who get a user's smart phone can execute specific operation, and delete the fingerprint of the phone without authentication. | |||||
| CVE-2017-17101 | 1 Apexis | 2 Apm-h803-mpc, Apm-h803-mpc Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Apexis APM-H803-MPC software, as used with many different models of IP Camera. An unprotected CGI method inside the web application permits an unauthenticated user to bypass the login screen and access the webcam contents including: live video stream, configuration files with all the passwords, system information, and much more. With this vulnerability, anyone can access to a vulnerable webcam with 'super admin' privilege. | |||||
| CVE-2017-16873 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| It is possible to exploit an unsanitized PATH in the suid binary that ships with vagrant-vmware-fusion 4.0.25 through 5.0.4 in order to escalate to root privileges. | |||||
| CVE-2017-16861 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| It was possible for double OGNL evaluation in certain redirect action and in WebWork URL and Anchor tags in JSP files to occur. An attacker who can access the web interface of Fisheye or Crucible or who hosts a website that a user who can access the web interface of Fisheye or Crucible visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Fisheye or Crucible. All versions of Fisheye and Crucible before 4.4.5 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.2 (the fixed version for 4.5.x) are affected by this vulnerability. | |||||
| CVE-2017-16839 | 1 Hashicorp | 1 Vagrant Vmware Fusion | 2024-11-21 | 6.9 MEDIUM | 7.0 HIGH |
| Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root privileges if VMware Fusion is not installed. | |||||
| CVE-2017-16709 | 1 Crestron | 4 Airmedia Am-100, Airmedia Am-100 Firmware, Airmedia Am-101 and 1 more | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute arbitrary code via unspecified vectors. | |||||
| CVE-2017-16653 | 2 Debian, Sensiolabs | 2 Debian Linux, Symfony | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. | |||||
| CVE-2017-16550 | 1 K7computing | 5 Antivirus, Endpoint, Internet Security and 2 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| K7 Antivirus Premium before 15.1.0.53 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a specific set of IOCTL calls. | |||||
| CVE-2017-16207 | 1 Discordi.js Project | 1 Discordi.js | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
| discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin. | |||||
| CVE-2017-16088 | 1 Safe-eval Project | 1 Safe-eval | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. | |||||
| CVE-2017-16046 | 1 Mariadb | 1 Mariadb | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | |||||
| CVE-2017-16030 | 1 Useragent Project | 1 Useragent | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier. | |||||
| CVE-2017-16007 | 1 Cisco | 1 Node-jose | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| node-jose is a JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. node-jose earlier than version 0.9.3 is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. | |||||