Latest CVE Feed
-
9.3
HIGHCVE-2017-3189
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on... Read more
Affected Products : dotcms- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
6.5
MEDIUMCVE-2017-3188
The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents... Read more
Affected Products : dotcms- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
8.8
HIGHCVE-2017-3187
The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions... Read more
Affected Products : dotcms- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
8.8
HIGHCVE-2017-3183
Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Dat... Read more
Affected Products : xrt_treasury- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
6.8
MEDIUMCVE-2017-3182
On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. ThreatMetrix is a security library for mobile applic... Read more
Affected Products : threatmetrix_sdk- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
9.8
CRITICALCVE-2017-3181
Multiple TIBCO Products are prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the applicatio... Read more
- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
5.4
MEDIUMCVE-2017-3180
Multiple TIBCO Products are prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspect... Read more
- Published: Jul. 24, 2018
- Modified: Nov. 21, 2024
-
7.5
HIGHCVE-2017-3164
Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any ... Read more
Affected Products : solr- Published: Mar. 08, 2019
- Modified: Nov. 21, 2024
-
7.4
HIGHCVE-2017-3160
After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the G... Read more
Affected Products : cordova- Published: Feb. 01, 2018
- Modified: Nov. 21, 2024
-
8.1
HIGHCVE-2017-3158
A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the rem... Read more
Affected Products : guacamole- Published: Jan. 18, 2018
- Modified: Nov. 21, 2024
-
7.5
HIGHCVE-2017-3145
BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
7.5
HIGHCVE-2017-3144
A vulnerability stemming from failure to properly clean up closed OMAPI connections can lead to exhaustion of the pool of socket descriptors available to the DHCP server. Affects ISC DHCP 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, 4.3.0 to 4.3.6. Older version... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
7.5
HIGHCVE-2017-3143
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affect... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
5.3
MEDIUMCVE-2017-3142
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that rel... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
7.8
HIGHCVE-2017-3141
The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this. Affects BIND 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9... Read more
Affected Products : bind- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
5.9
MEDIUMCVE-2017-3140
If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query. Affects BIND 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1.... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
7.5
HIGHCVE-2017-3139
A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.... Read more
Affected Products : enterprise_linux_server_aus enterprise_linux_server_eus enterprise_linux_server_tus- Published: Apr. 09, 2019
- Modified: Nov. 21, 2024
-
6.5
MEDIUMCVE-2017-3138
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a s... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
7.5
HIGHCVE-2017-3137
Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occ... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024
-
5.9
MEDIUMCVE-2017-3136
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the ... Read more
- Published: Jan. 16, 2019
- Modified: Nov. 21, 2024