|
251321
|
9.8 |
CRITICAL
Network
|
apache
|
ofbiz
|
The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape user input property passed. This allows for code injection by passing that code through the URL. For example by appending this cod…
|
CWE-74
Injection
|
CVE-2017-15714
|
2024-11-21 12:15 |
2018-01-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251322
|
5.4 |
MEDIUM
Network
|
synology
|
chat
|
Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND…
|
CWE-79
Cross-site Scripting
|
CVE-2017-15892
|
2024-11-21 12:15 |
2017-12-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251323
|
6.5 |
MEDIUM
Network
|
synology
|
chat
|
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2017-15886
|
2024-11-21 12:15 |
2017-12-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251324
|
9.8 |
CRITICAL
Network
|
sistemagpweb
|
gpweb
|
Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database.
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2017-15877
|
2024-11-21 12:15 |
2017-12-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251325
|
7.2 |
HIGH
Network
|
sistemagpweb
|
gpweb
|
Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote authenticated users to upload any type of file, including a PHP shell.
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2017-15876
|
2024-11-21 12:15 |
2017-12-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251326
|
9.8 |
CRITICAL
Network
|
sistemagpweb
|
gpweb
|
SQL injection vulnerability in Password Recovery in GPWeb 8.4.61 allows remote attackers to execute arbitrary SQL commands via the "checkemail" parameter.
|
CWE-89
SQL Injection
|
CVE-2017-15875
|
2024-11-21 12:15 |
2017-12-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251327
|
8.8 |
HIGH
Network
|
apache
|
sling_authentication_service
|
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method in Apache Sling Authentication Service 1.4.0 allows an attacker, through the Sling login form, to trick a victim to send over …
|
CWE-200
Information Exposure
|
CVE-2017-15700
|
2024-11-21 12:15 |
2017-12-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251328
|
4.8 |
MEDIUM
Network
|
synology
|
mailplus_server
|
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
|
CWE-79
Cross-site Scripting
|
CVE-2017-15890
|
2024-11-21 12:15 |
2017-12-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251329
|
3.1 |
LOW
Network
|
nodejs
|
node.js
|
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This…
|
CWE-665
Improper Initialization
|
CVE-2017-15897
|
2024-11-21 12:15 |
2017-12-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
251330
|
9.1 |
CRITICAL
Network
|
nodejs
|
node.js
|
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application dat…
|
NVD-CWE-noinfo
|
CVE-2017-15896
|
2024-11-21 12:15 |
2017-12-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
