CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In June 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
201 CVE-2017-9516 79 XSS 2017-06-08 2017-08-13
3.5
None Remote Medium ??? None Partial None
Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
202 CVE-2017-9505 276 2017-06-15 2020-07-21
4.0
None Remote Low ??? Partial None None
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.
203 CVE-2017-9503 476 DoS 2017-06-16 2020-11-10
1.9
None Local Medium Not required None None Partial
QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.
204 CVE-2017-9502 119 Overflow 2017-06-14 2017-07-08
5.0
None Remote Low Not required None None Partial
In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://").
205 CVE-2017-9501 617 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file.
206 CVE-2017-9500 617 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-8 Q16, an assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file.
207 CVE-2017-9499 617 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the function SetPixelChannelAttributes, which allows attackers to cause a denial of service via a crafted file.
208 CVE-2017-9474 125 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the DecompressRTF function in lib/ytnef.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
209 CVE-2017-9473 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the TNEFFillMapi function in lib/ytnef.c allows remote attackers to cause a denial of service (memory consumption) via a crafted file.
210 CVE-2017-9472 125 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the SwapDWord function in lib/ytnef.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
211 CVE-2017-9471 125 DoS 2017-06-07 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the SwapWord function in lib/ytnef.c allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
212 CVE-2017-9470 476 DoS 2017-06-07 2019-05-18
4.3
None Remote Medium Not required None None Partial
In ytnef 1.9.2, the MAPIPrint function in lib/ytnef.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file.
213 CVE-2017-9469 119 Overflow 2017-06-07 2019-03-14
5.0
None Remote Low Not required None None Partial
In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC files, it tries to find the terminating quote one byte before the allocated memory. Thus, remote attackers might be able to cause a crash.
214 CVE-2017-9468 476 2017-06-07 2019-03-14
5.0
None Remote Low Not required None None Partial
In Irssi before 1.0.3, when receiving a DCC message without source nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC servers can cause a crash.
215 CVE-2017-9466 327 2017-06-26 2017-07-06
7.5
None Remote Low Not required Partial Partial Partial
The executable httpd on the TP-Link WR841N V8 router before TL-WR841N(UN)_V8_170210 contained a design flaw in the use of DES for block encryption. This resulted in incorrect access control, which allowed attackers to gain read-write access to system settings through the protected router configuration service tddp via the LAN and Ath0 (Wi-Fi) interfaces.
216 CVE-2017-9465 125 DoS +Info 2017-06-06 2019-10-03
5.8
None Remote Medium Not required Partial None Partial
The yr_arena_write_data function in YARA 3.6.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) or obtain sensitive information from process memory via a crafted file that is mishandled in the yr_re_fast_exec function in libyara/re.c and the _yr_scan_match_callback function in libyara/scan.c.
217 CVE-2017-9464 601 2017-06-14 2017-06-19
5.8
None Remote Medium Not required Partial Partial None
An open redirect vulnerability is present in Piwigo 2.9 and probably prior versions, allowing remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The identification.php component is affected by this issue: the "redirect" parameter is not validated.
218 CVE-2017-9463 89 Sql +Info 2017-06-14 2017-06-19
4.0
None Remote Low ??? Partial None None
The application Piwigo is affected by a SQL injection vulnerability in version 2.9.0 and possibly prior. This vulnerability allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The user_list_backend.php component is affected: values of the iDisplayStart & iDisplayLength parameters are not sanitized; these are used to construct a SQL query and retrieve a list of registered users into the application.
219 CVE-2017-9462 732 Exec Code 2017-06-06 2020-02-05
9.0
None Remote Low ??? Complete Complete Complete
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
220 CVE-2017-9461 835 DoS 2017-06-06 2019-10-03
6.8
None Remote Low ??? None None Complete
smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of service vulnerability (fd_open_atomic infinite loop with high CPU usage and memory consumption) due to wrongly handling dangling symlinks.
221 CVE-2017-9452 79 XSS 2017-06-06 2017-06-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter.
222 CVE-2017-9451 79 XSS 2017-06-06 2017-06-13
4.3
None Remote Medium Not required None Partial None
Cross site scripting (XSS) vulnerability in pages.edit_form.php in flatCore 1.4.6 allows remote attackers to inject arbitrary JavaScript via the PATH_INFO in an acp.php URL, due to use of unsanitized $_SERVER['PHP_SELF'] to generate URLs.
223 CVE-2017-9449 89 Exec Code Sql 2017-06-06 2017-06-12
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name.
224 CVE-2017-9448 79 XSS 2017-06-06 2017-06-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users.
225 CVE-2017-9445 787 2017-06-28 2017-07-07
5.0
None Remote Low Not required None None Partial
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.
226 CVE-2017-9444 352 CSRF 2017-06-05 2017-06-12
6.8
None Remote Medium Not required Partial Partial Partial
BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI.
227 CVE-2017-9443 89 Sql 2017-06-05 2017-06-09
6.5
None Remote Low ??? Partial Partial Partial
** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
228 CVE-2017-9442 94 Exec Code 2017-06-05 2017-06-09
6.5
None Remote Low ??? Partial Partial Partial
** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
229 CVE-2017-9441 79 XSS 2017-06-05 2017-06-12
3.5
None Remote Medium ??? None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
230 CVE-2017-9440 772 DoS 2017-06-05 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file.
231 CVE-2017-9439 772 DoS 2017-06-05 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file.
232 CVE-2017-9438 674 DoS 2017-06-05 2021-05-05
5.0
None Remote Low Not required None None Partial
libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304.
233 CVE-2017-9437 89 Sql 2017-06-05 2017-06-13
6.5
None Remote Low ??? Partial Partial Partial
Openbravo Business Suite 3.0 is affected by SQL injection. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code.
234 CVE-2017-9436 89 Sql 2017-06-05 2017-06-13
7.5
None Remote Low Not required Partial Partial Partial
TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php.
235 CVE-2017-9435 89 Sql 2017-06-05 2017-06-08
7.5
None Remote Low Not required Partial Partial Partial
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).
236 CVE-2017-9434 125 2017-06-05 2019-06-01
5.0
None Remote Low Not required Partial None None
Crypto++ (aka cryptopp) through 5.6.5 contains an out-of-bounds read vulnerability in zinflate.cpp in the Inflator filter.
237 CVE-2017-9433 119 Overflow 2017-06-05 2017-11-04
7.5
None Remote Low Not required Partial Partial Partial
Document Liberation Project libmwaw before 2017-04-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the MsWrd1Parser::readFootnoteCorrespondance function in lib/MsWrd1Parser.cxx.
238 CVE-2017-9432 787 Overflow 2017-06-05 2017-06-12
7.5
None Remote Low Not required Partial Partial Partial
Document Liberation Project libstaroffice before 2017-04-07 has an out-of-bounds write caused by a stack-based buffer overflow related to the DatabaseName::read function in lib/StarWriterStruct.cxx.
239 CVE-2017-9431 787 Overflow 2017-06-05 2017-06-12
7.5
None Remote Low Not required Partial Partial Partial
Google gRPC before 2017-04-05 has an out-of-bounds write caused by a heap-based buffer overflow related to core/lib/iomgr/error.c.
240 CVE-2017-9430 119 DoS Overflow 2017-06-05 2017-08-12
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in dnstracer through 1.9 allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a command line with a long name argument that is mishandled in a strcpy call for argv[0]. An example threat model is a web application that launches dnstracer with an untrusted name string.
241 CVE-2017-9429 89 Exec Code Sql 2017-06-13 2017-08-13
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php.
242 CVE-2017-9428 22 Dir. Trav. 2017-06-04 2017-06-06
5.0
None Remote Low Not required Partial None None
A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter.
243 CVE-2017-9427 89 Exec Code Sql 2017-06-04 2017-06-06
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true.
244 CVE-2017-9424 502 Exec Code 2017-06-22 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization.
245 CVE-2017-9420 79 XSS 2017-06-05 2017-07-17
4.3
None Remote Medium Not required None Partial None
Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin before 3.3.0 for WordPress allows remote attackers to inject arbitrary JavaScript via the yr parameter.
246 CVE-2017-9419 79 XSS 2017-06-15 2017-07-17
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fields Search plugin 0.3.28 for WordPress allows remote attackers to inject arbitrary JavaScript via the cs-all-0 parameter.
247 CVE-2017-9418 89 Exec Code Sql 2017-06-12 2017-08-13
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php.
248 CVE-2017-9417 Exec Code 2017-06-04 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitrary code via unspecified vectors, aka the "Broadpwn" issue.
249 CVE-2017-9416 22 Dir. Trav. 2017-06-04 2017-06-08
4.0
None Remote Low ??? Partial None None
Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by the Odoo service.
250 CVE-2017-9409 772 DoS 2017-06-02 2019-10-03
4.3
None Remote Medium Not required None None Partial
In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file.
Total number of vulnerabilities : 1037   Page : 1 2 3 4 5 (This Page)6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.