Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 10.0

    HIGH
    CVE-2017-15815

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a potential buffer overflow can happen when processing any 802.11 MGMT frames like Auth frame in limProcessAuthFrame.... Read more

    Affected Products : android
    • Published: Mar. 15, 2018
    • Modified: Nov. 21, 2024

  • 4.4

    MEDIUM
    CVE-2017-15814

    In Android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, in msm_flash_subdev_do_ioctl of drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c, there is a possible out of bounds read if flash_... Read more

    Affected Products : android
    • Published: Mar. 16, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2017-15725

    An XML External Entity Injection vulnerability exists in Dzone AnswerHub.... Read more

    Affected Products : dzone_answerhub
    • Published: Oct. 28, 2019
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2017-15720

    In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.... Read more

    Affected Products : airflow
    • Published: Jan. 23, 2019
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2017-15719

    In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor.... Read more

    Affected Products : wicket-jquery-ui
    • Published: Mar. 12, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2017-15718

    The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.... Read more

    Affected Products : hadoop
    • Published: Jan. 24, 2018
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2017-15717

    A flaw in the way URLs are escaped and encoded in the org.apache.sling.xss.impl.XSSAPIImpl#getValidHref and org.apache.sling.xss.impl.XSSFilterImpl#isValidHref allows special crafted URLs to pass as valid, although they carry XSS payloads. The affected ve... Read more

    • Published: Jan. 10, 2018
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2017-15715

    In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some file... Read more

    • Published: Mar. 26, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2017-15714

    The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this code "__format=%27;alert(%27xss%27)" to the URL an alert wi... Read more

    Affected Products : ofbiz
    • Published: Jan. 04, 2018
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2017-15713

    Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can const... Read more

    Affected Products : hadoop
    • Published: Jan. 19, 2018
    • Modified: Nov. 21, 2024

  • 6.8

    MEDIUM
    CVE-2017-15712

    Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 and 5.0.0-beta1 to expose private files on the Oozie server process. The malicious user can construct a workflow XML file containing XML directives and configuration that reference sens... Read more

    Affected Products : oozie
    • Published: Feb. 19, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2017-15710

    In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the hea... Read more

    • Published: Mar. 26, 2018
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2017-15709

    When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text.... Read more

    Affected Products : activemq
    • Published: Feb. 13, 2018
    • Modified: Nov. 21, 2024

  • 5.3

    MEDIUM
    CVE-2017-15706

    As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to e... Read more

    Affected Products : tomcat
    • Published: Jan. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.3

    MEDIUM
    CVE-2017-15705

    A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, u... Read more

    • Published: Sep. 17, 2018
    • Modified: Nov. 21, 2024

  • 5.0

    MEDIUM
    CVE-2017-15703

    Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applie... Read more

    Affected Products : nifi
    • Published: Jan. 25, 2018
    • Modified: Nov. 21, 2024

  • 6.8

    MEDIUM
    CVE-2017-15699

    A Denial of Service vulnerability was found in Apache Qpid Dispatch Router versions 0.7.0 and 0.8.0. To exploit this vulnerability, a remote user must be able to establish an AMQP connection to the Qpid Dispatch Router and send a specifically crafted AMQP... Read more

    • Published: Feb. 13, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2017-15698

    When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was the... Read more

    Affected Products : debian_linux tomcat_native
    • Published: Jan. 31, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2017-15697

    A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x... Read more

    Affected Products : nifi
    • Published: Jan. 23, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2017-15696

    When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration dat... Read more

    Affected Products : geode
    • Published: Feb. 26, 2018
    • Modified: Nov. 21, 2024
Showing 20 of 293425 Results