Search

Search Results (363169 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-16941 1 Octobercms 1 October 2025-04-20 N/A
October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering.
CVE-2017-16942 1 Libsndfile Project 1 Libsndfile 2025-04-20 N/A
In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file.
CVE-2017-16943 2 Debian, Exim 2 Debian Linux, Exim 2025-04-20 N/A
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
CVE-2017-16944 2 Debian, Exim 2 Debian Linux, Exim 2025-04-20 N/A
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
CVE-2017-16946 1 Misp 1 Misp 2025-04-20 N/A
The admin_edit function in app/Controller/UsersController.php in MISP 2.4.82 mishandles the enable_password field, which allows admins to discover a hashed password by reading the audit log.
CVE-2017-16948 1 Tgsoft 1 Vir.it Explorer 2025-04-20 N/A
TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a NULL value in a 0x82730008 DeviceIoControl request to \\.\Viragtlt.
CVE-2017-16949 1 Accesspressthemes 1 Anonymous Post Pro 2025-04-20 N/A
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution.
CVE-2017-16950 1 Urbackup 1 Urbackup Server 2025-04-20 N/A
Cross - site scripting (XSS) vulnerability in UrBackup Server before 2.1.20 allows remote attackers to inject arbitrary web script or HTML via the action parameter.
CVE-2017-16951 1 Audiovalley 1 Winamp Pro 2025-04-20 5.5 Medium
Winamp Pro 5.66 Build 3512 allows remote attackers to cause a denial of service via a crafted WAV, WMV, AU, ASF, AIFF, or AIF file.
CVE-2017-16952 1 Kmplayer 1 Kmplayer 2025-04-20 N/A
KMPlayer 4.2.2.4 allows remote attackers to cause a denial of service via a crafted NSV file.
CVE-2017-16953 1 Zte 2 Zxdsl 831cii, Zxdsl 831cii Firmware 2025-04-20 N/A
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to modify the PPPoE configuration or set up a malicious configuration via a GET request.
CVE-2017-16955 1 Inlinks Project 1 Inlinks 2025-04-20 N/A
SQL injection vulnerability in the InLinks plugin through 1.1 for WordPress allows authenticated users to execute arbitrary SQL commands via the "keyword" parameter to /wp-admin/options-general.php?page=inlinks/inlinks.php.
CVE-2017-16956 1 Symphony Project 1 Symphony 2025-04-20 N/A
b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title.
CVE-2017-16957 1 Tp-link 108 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 105 more 2025-04-20 N/A
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the iface field of an admin/diagnostic command to cgi-bin/luci, related to the zone_get_effect_devices function in /usr/lib/lua/luci/controller/admin/diagnostic.lua in uhttpd.
CVE-2017-16958 1 Tp-link 108 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 105 more 2025-04-20 N/A
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/bridge command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/bridge.lua in uhttpd.
CVE-2017-16959 1 Tp-link 108 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 105 more 2025-04-20 N/A
The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allows remote authenticated users to test for the existence of arbitrary files by making an operation=write;locale=%0d request, and then making an operation=read request with a crafted Accept-Language HTTP header, related to the set_sysinfo and get_sysinfo functions in /usr/lib/lua/luci/controller/locale.lua in uhttpd.
CVE-2017-1696 1 Ibm 1 Qradar Security Information And Event Manager 2025-04-20 N/A
IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 134178.
CVE-2017-16960 1 Tp-link 93 Tl-er3210g, Tl-er3210g Firmware, Tl-er3220g and 90 more 2025-04-20 N/A
TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the t_bindif field of an admin/interface command to cgi-bin/luci, related to the get_device_byif function in /usr/lib/lua/luci/controller/admin/interface.lua in uhttpd.
CVE-2017-16961 1 Bigtreecms 1 Bigtree Cms 2025-04-20 N/A
A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request.
CVE-2017-16962 1 Communigate 1 Communigate Pro 2025-04-20 N/A
The WebMail components (Crystal, pronto, and pronto4) in CommuniGate Pro before 6.2.1 have stored XSS vulnerabilities via (1) the location or details field of a Google Calendar invitation, (2) a crafted Outlook.com calendar (aka Hotmail Calendar) invitation, (3) e-mail granting access to a directory that has JavaScript in its name, (4) JavaScript in a note name, (5) JavaScript in a task name, or (6) HTML e-mail that is mishandled in the Inbox component.