Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2017-3207

    The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker... Read more

    Affected Products : weborb_for_java
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2017-3206

    The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potential... Read more

    Affected Products : flamingo
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2017-3203

    The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof... Read more

    Affected Products : spring-flex
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2017-3202

    The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The... Read more

    Affected Products : flamingo
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2017-3201

    The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacke... Read more

    Affected Products : flamingo_amf-serializer flamingo
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2017-3200

    The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit th... Read more

    Affected Products : graniteds
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2017-3199

    The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof ... Read more

    Affected Products : graniteds
    • Published: Jun. 11, 2018
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2017-3198

    GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary modifications to firmware images without being detected.... Read more

    • Published: Jul. 09, 2018
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2017-3197

    GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit mo... Read more

    • Published: Jul. 09, 2018
    • Modified: Nov. 21, 2024

  • 9.3

    HIGH
    CVE-2017-3189

    The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to arbitrary file upload. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, there are no checks on... Read more

    Affected Products : dotcms
    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2017-3188

    The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents... Read more

    Affected Products : dotcms
    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2017-3187

    The dotCMS administration panel, versions 3.7.1 and earlier, are vulnerable to cross-site request forgery. The dotCMS administrator panel contains a cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions... Read more

    Affected Products : dotcms
    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2017-3183

    Sage XRT Treasury, version 3, fails to properly restrict database access to authorized users, which may enable any authenticated user to gain full access to privileged database functions. Sage XRT Treasury is a business finance management application. Dat... Read more

    Affected Products : xrt_treasury
    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 6.8

    MEDIUM
    CVE-2017-3182

    On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attack. ThreatMetrix is a security library for mobile applic... Read more

    Affected Products : threatmetrix_sdk
    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2017-3181

    Multiple TIBCO Products are prone to multiple unspecified SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the applicatio... Read more

    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2017-3180

    Multiple TIBCO Products are prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspect... Read more

    • Published: Jul. 24, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2017-3164

    Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (inclusive). Since the "shards" parameter does not have a corresponding whitelist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any ... Read more

    Affected Products : solr
    • Published: Mar. 08, 2019
    • Modified: Nov. 21, 2024

  • 7.4

    HIGH
    CVE-2017-3160

    After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the G... Read more

    Affected Products : cordova
    • Published: Feb. 01, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2017-3158

    A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the rem... Read more

    Affected Products : guacamole
    • Published: Jan. 18, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2017-3145

    BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.... Read more

    • Published: Jan. 16, 2019
    • Modified: Nov. 21, 2024
Showing 20 of 293425 Results