Export limit exceeded: 364122 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364122 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-3128 | 1 Fortinet | 1 Fortios | 2025-04-20 | N/A |
| A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS allows attackers to execute unauthorized code or commands via the policy global-label parameter. | ||||
| CVE-2017-3129 | 1 Fortinet | 1 Fortiweb | 2025-04-20 | N/A |
| A Cross-Site Scripting vulnerability in Fortinet FortiWeb versions 5.7.1 and below allows attacker to execute unauthorized code or commands via an improperly sanitized POST parameter in the FortiWeb Site Publisher feature. | ||||
| CVE-2017-3130 | 1 Fortinet | 1 Fortios | 2025-04-20 | N/A |
| An information disclosure vulnerability in Fortinet FortiOS 5.6.0, 5.4.4 and below versions allows attacker to get FortiOS version info by inspecting FortiOS IKE VendorID packets. | ||||
| CVE-2017-3131 | 1 Fortinet | 1 Fortios | 2025-04-20 | N/A |
| A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to execute unauthorized code or commands via the filter input in "Applications" under FortiView. | ||||
| CVE-2017-3132 | 1 Fortinet | 1 Fortios | 2025-04-20 | N/A |
| A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthorized code or commands via the action input during the activation of a FortiToken. | ||||
| CVE-2017-3134 | 1 Fortinet | 1 Fortiwlc-sd | 2025-04-20 | N/A |
| An escalation of privilege vulnerability in Fortinet FortiWLC-SD versions 8.2.4 and below allows attacker to gain root access via the CLI command 'copy running-config'. | ||||
| CVE-2017-3150 | 1 Apache | 1 Atlas | 2025-04-20 | N/A |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookies that could be accessible to client-side script. | ||||
| CVE-2017-3151 | 1 Apache | 1 Atlas | 2025-04-20 | 6.1 Medium |
| Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality. | ||||
| CVE-2017-3156 | 2 Apache, Redhat | 3 Cxf, Jboss Amq, Jboss Fuse | 2025-04-20 | N/A |
| The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks. | ||||
| CVE-2017-3157 | 3 Apache, Debian, Redhat | 9 Openoffice, Debian Linux, Enterprise Linux and 6 more | 2025-04-20 | N/A |
| By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tricking the user into saving the document and convincing the user to send the document back to the attacker. The vulnerability is mitigated by the need for the attacker to know the precise file path in the target system, and the need to trick the user into saving the document and sending it back. | ||||
| CVE-2017-3159 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2025-04-20 | N/A |
| Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | ||||
| CVE-2017-3163 | 2 Apache, Redhat | 2 Solr, Jboss Enterprise Application Platform | 2025-04-20 | N/A |
| When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access. | ||||
| CVE-2017-3165 | 1 Apache | 1 Brooklyn | 2025-04-20 | N/A |
| In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content. There is known to be a proof-of-concept exploit using this vulnerability. | ||||
| CVE-2017-3166 | 1 Apache | 1 Hadoop | 2025-04-20 | N/A |
| In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file. | ||||
| CVE-2017-3169 | 2 Apache, Redhat | 5 Http Server, Enterprise Linux, Jboss Core Services and 2 more | 2025-04-20 | N/A |
| In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. | ||||
| CVE-2017-3190 | 1 Axs | 1 Flash Seats | 2025-04-20 | N/A |
| Flash Seats Mobile App for Android version 1.7.9 and earlier and for iOS version 1.9.51 and earlier fails to properly validate SSL certificates provided by HTTPS connections, which may enable an attacker to conduct man-in-the-middle (MITM) attacks. | ||||
| CVE-2017-3184 | 1 Acti | 1 Camera Firmware | 2025-04-20 | N/A |
| ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC fail to properly restrict access to the factory reset page. An unauthenticated, remote attacker can exploit this vulnerability by directly accessing the http://x.x.x.x/setup/setup_maintain_firmware-default.html page. This will allow an attacker to perform a factory reset on the device, leading to a denial of service condition or the ability to make use of default credentials (CVE-2017-3186). | ||||
| CVE-2017-3185 | 1 Acti | 1 Camera Firmware | 2025-04-20 | N/A |
| ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources. | ||||
| CVE-2017-3186 | 1 Acti | 1 Camera Firmware | 2025-04-20 | N/A |
| ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC use non-random default credentials across all devices. A remote attacker can take complete control of a device using default admin credentials. | ||||
| CVE-2017-3191 | 2 D-link, Dlink | 4 Dir-130 Firmware, Dir-330 Firmware, Dir-130 and 1 more | 2025-04-20 | N/A |
| D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages such as tools_admin.asp without credentials. | ||||