CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1051 CVE-2015-8353 79 XSS 2017-09-11 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Role Scoper plugin before 1.3.67 for WordPress allows remote attackers to inject arbitrary web script or HTML via the object_name parameter in a rs-object_role_edit page to wp-admin/admin.php.
1052 CVE-2015-8351 94 Exec Code Dir. Trav. File Inclusion 2017-09-11 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.
1053 CVE-2015-8350 79 XSS 2017-09-11 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Calls to Action plugin before 2.5.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) open-tab parameter in a wp_cta_global_settings action to wp-admin/edit.php or (2) wp-cta-variation-id parameter to ab-testing-call-to-action-example/.
1054 CVE-2015-8349 79 XSS 2017-09-11 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SourceBans before 2.0 pre-alpha allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php.
1055 CVE-2015-8316 129 DoS 2017-09-06 2017-09-21
4.3
None Remote Medium Not required None None Partial
Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address.
1056 CVE-2015-8251 200 +Info 2017-09-25 2017-10-11
4.3
None Remote Medium Not required Partial None None
OpenStage 60 and OpenScape Desk Phone IP 55G SIP V3, OpenStage 15, 20E, 20 and 40 and OpenScape Desk Phone IP 35G SIP V3, OpenScape Desk Phone IP 35G Eco SIP V3, OpenStage 60 and OpenScape Desk Phone IP 55G HFA V3, OpenStage 15, 20E, 20, and 40 and OpenScape Desk Phone IP 35G HFA V3, and OpenScape Desk Phone IP 35G Eco HFA V3 use non-unique X.509 certificates and SSH host keys.
1057 CVE-2015-8249 434 2017-09-28 2017-10-06
10.0
None Remote Low Not required Complete Complete Complete
The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter.
1058 CVE-2015-8224 200 +Info 2017-09-20 2017-09-23
4.3
None Remote Medium Not required Partial None None
Huawei P8 before GRA-CL00C92B210, before GRA-L09C432B200, before GRA-TL00C01B210, and before GRA-UL00C00B210 allows remote attackers to obtain user equipment (aka UE) measurements of signal strengths.
1059 CVE-2015-8079 200 +Info 2017-09-07 2021-08-31
5.0
None Remote Low Not required Partial None None
qt5-qtwebkit before 5.4 records private browsing URLs to its favicon database, WebpageIcons.db.
1060 CVE-2015-7880 200 +Info 2017-09-13 2017-09-26
4.0
None Remote Low ??? Partial None None
The Entity Registration module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to obtain sensitive event registration information by leveraging the "Register other accounts" permission and knowledge of usernames.
1061 CVE-2015-7879 79 XSS 2017-09-11 2017-09-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Stickynote module 7.x before 7.x-1.3 for Drupal allows remote authenticated users with permission to create or edit a stickynote to inject arbitrary web script or HTML via note text on the admin listing page.
1062 CVE-2015-7877 89 Exec Code Sql 2017-09-11 2017-09-21
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
1063 CVE-2015-7846 200 +Info 2017-09-25 2017-10-10
2.1
None Local Low Not required Partial None None
Huawei S7700, S9700, S9300 before V200R07C00SPC500, and AR200, AR1200, AR2200, AR3200 before V200R005C20SPC200 allows attackers with physical access to the CF card to obtain sensitive information.
1064 CVE-2015-7837 254 Bypass 2017-09-19 2017-10-05
2.1
None Local Low Not required None Partial None
The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions by leveraging improper handling of secure_boot flag across kexec reboot.
1065 CVE-2015-7785 295 2017-09-25 2017-10-06
4.3
None Remote Medium Not required Partial None None
GANMA! App for iOS does not verify SSL certificates.
1066 CVE-2015-7746 287 Bypass +Info 2017-09-01 2017-09-06
7.5
None Remote Low Not required Partial Partial Partial
NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8 in the volume language.
1067 CVE-2015-7672 79 XSS 2017-09-07 2019-07-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in Centreon 18.10.0 and Centreon web 2.8.27).
1068 CVE-2015-7670 89 Exec Code Sql 2017-09-26 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in includes/update.php in the Support Ticket System plugin before 1.2.1 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) user or (2) id parameter.
1069 CVE-2015-7553 362 DoS 2017-09-14 2017-09-21
4.7
None Local Medium Not required None None Complete
Race condition in the kernel in Red Hat Enterprise Linux 7, kernel-rt and Red Hat Enterprise MRG 2, when the nfnetlink_log module is loaded, allows local users to cause a denial of service (panic) by creating netlink sockets.
1070 CVE-2015-7544 74 Exec Code 2017-09-25 2017-10-11
9.0
None Remote Low ??? Complete Complete Complete
redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manager (aka RHEV Manager) before 3.6 allows remote authenticated users with the SuperUser role on any Entity to execute arbitrary commands on any host in the RHEV environment.
1071 CVE-2015-7510 119 Overflow 2017-09-25 2017-10-06
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd.
1072 CVE-2015-7391 79 XSS 2017-09-26 2018-10-09
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.9.14 allow remote attackers to inject arbitrary web script or HTML via the (1) selected_end_date or (2) selected_start_date parameter to lib/results/tcCreatedPerUserOnTestProject.php; the (3) containerType parameter to lib/testcases/containerEdit.php; the (4) filter_tc_id or (5) filter_testcase_name parameter to lib/testcases/listTestCases.php; the (6) useRecursion parameter to lib/testcases/tcImport.php; the (7) targetTestCase or (8) created_by parameter to lib/testcases/tcSearch.php; or the (9) HTTP Referer header to third_party/user_contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php.
1073 CVE-2015-7390 89 Exec Code Sql 2017-09-26 2019-03-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php.
1074 CVE-2015-7349 79 XSS 2017-09-28 2017-10-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the sample feedback.inc file in VASCO DIGIPASS authentication plug-in for Citrix Web Interface allows remote attackers to inject arbitrary web script or HTML via the failmessage parameter.
1075 CVE-2015-7347 79 XSS 2017-09-20 2017-09-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.
1076 CVE-2015-7318 20 2017-09-25 2017-10-03
5.0
None Remote Low Not required None Partial None
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
1077 CVE-2015-7317 264 2017-09-25 2017-10-06
4.9
None Remote Medium ??? Partial Partial None
Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, and 4.2.0 through 4.2.7 allows remote authenticated users to edit Kupu settings.
1078 CVE-2015-7316 79 XSS 2017-09-25 2017-10-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.
1079 CVE-2015-7315 284 2017-09-25 2017-10-03
4.3
None Remote Medium Not required None Partial None
Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
1080 CVE-2015-7294 90 2017-09-06 2020-03-09
5.0
None Remote Low Not required Partial None None
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.
1081 CVE-2015-7293 352 CSRF 2017-09-25 2017-10-06
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Zope Management Interface 4.3.7 and earlier, and Plone before 5.x.
1082 CVE-2015-7256 310 2017-09-28 2017-10-11
4.3
None Remote Medium Not required Partial None None
ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B30A, and VSG1435-B101 DSL CPEs; PMG5318-B20A GPONs; SBG3300-N000, SBG3300-NB00, and SBG3500-N000 small business gateways; GS1900-8 and GS1900-24 switches; and C1000Z, Q1000, FR1000Z, and P8702N project models use non-unique X.509 certificates and SSH host keys.
1083 CVE-2015-7241 611 2017-09-06 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
1084 CVE-2015-7225 254 2017-09-06 2017-09-21
3.5
None Remote Medium ??? Partial None None
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
1085 CVE-2015-6748 79 XSS 2017-09-25 2020-01-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.
1086 CVE-2015-6673 416 2017-09-20 2020-10-05
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32.
1087 CVE-2015-6592 254 2017-09-25 2017-10-06
7.2
None Local Low Not required Complete Complete Complete
Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require authentication to the serial port or the VxWorks shell.
1088 CVE-2015-6250 200 +Info 2017-09-06 2017-09-13
5.0
None Remote Low Not required Partial None None
simple-php-captcha before commit 9d65a945029c7be7bb6bc893759e74c5636be694 allows remote attackers to automatically generate the captcha response by running the same code on the client-side.
1089 CVE-2015-5959 200 +Info 2017-09-06 2017-09-07
5.0
None Remote Low Not required Partial None None
Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log.
1090 CVE-2015-5948 362 Exec Code 2017-09-06 2017-09-09
9.3
None Remote Medium Not required Complete Complete Complete
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
1091 CVE-2015-5947 362 Exec Code 2017-09-06 2020-06-12
6.8
None Remote Medium Not required Partial Partial Partial
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
1092 CVE-2015-5705 59 2017-09-06 2017-09-13
5.0
None Remote Low Not required None Partial None
Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename.
1093 CVE-2015-5704 77 Exec Code 2017-09-25 2017-10-06
7.2
None Local Low Not required Complete Complete Complete
scripts/licensecheck.pl in devscripts before 2.15.7 allows local users to execute arbitrary shell commands.
1094 CVE-2015-5666 295 2017-09-25 2017-10-06
4.3
None Remote Medium Not required Partial None None
ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and earlier does not verify SSL certificates.
1095 CVE-2015-5613 79 XSS 2017-09-28 2017-10-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different vulnerability than CVE-2015-5612.
1096 CVE-2015-5608 601 2017-09-20 2017-09-22
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1.
1097 CVE-2015-5607 352 CSRF 2017-09-20 2017-10-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery in the REST API in IPython 2 and 3.
1098 CVE-2015-5395 352 CSRF 2017-09-20 2019-11-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.
1099 CVE-2015-5327 125 2017-09-25 2019-03-07
4.0
None Remote Low ??? Partial None None
Out-of-bounds memory read in the x509_decode_time function in x509_cert_parser.c in Linux kernels 4.3-rc1 and after.
1100 CVE-2015-5284 200 +Info 2017-09-21 2017-10-04
5.0
None Remote Low Not required Partial None None
ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate and private key in /etc/httpd/alias/kra-agent.pem, which is world readable.
Total number of vulnerabilities : 1228   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 (This Page)23 24 25
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.