Export limit exceeded: 10015 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10015 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-1000141 | 1 Mahara | 1 Mahara | 2024-11-21 | N/A |
| An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, deleting account). The correct behavior was to either prompt them for their password and/or send a warning to their primary email address. | ||||
| CVE-2017-0936 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A |
| Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user. | ||||
| CVE-2017-0928 | 1 Theguardian | 1 Html-janitor | 2024-11-21 | N/A |
| html-janitor node module suffers from an External Control of Critical State Data vulnerability via user-control of the '_sanitized' variable causing sanitization to be bypassed. | ||||
| CVE-2017-0922 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| Gitlab Enterprise Edition version 10.3 is vulnerable to an authorization bypass issue in the GitLab Projects::BoardsController component resulting in an information disclosure on any board object. | ||||
| CVE-2017-0921 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an unverified password change issue in the PasswordsController component resulting in potential account takeover if a victim's session is compromised. | ||||
| CVE-2017-0920 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A |
| GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10.3.4 are vulnerable to an authorization bypass issue in the Projects::MergeRequests::CreationsController component resulting in an attacker to see every project name and their respective namespace on a GitLab instance. | ||||
| CVE-2017-0367 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure. | ||||
| CVE-2017-0364 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Special:Search allows redirects to any interwiki link. | ||||
| CVE-2017-0363 | 2 Debian, Mediawiki | 2 Debian Linux, Mediawiki | 2024-11-21 | N/A |
| Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:UserLogin?returnto=interwiki:foo will redirect to external sites. | ||||
| CVE-2016-9598 | 2 Redhat, Xmlsoft | 2 Jboss Core Services, Libxml2 | 2024-11-21 | 6.5 Medium |
| libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483. | ||||
| CVE-2016-9597 | 6 Canonical, Debian, Hp and 3 more | 7 Ubuntu Linux, Debian Linux, Icewall Federation Agent and 4 more | 2024-11-21 | N/A |
| It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705. | ||||
| CVE-2016-9596 | 2 Redhat, Xmlsoft | 2 Jboss Core Services, Libxml2 | 2024-11-21 | 6.5 Medium |
| libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627. | ||||
| CVE-2016-9594 | 1 Haxx | 1 Curl | 2024-11-21 | N/A |
| curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable. | ||||
| CVE-2016-9491 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-11-21 | N/A |
| ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system. | ||||
| CVE-2016-9487 | 1 W3 | 1 Epubcheck | 2024-11-21 | 7.8 High |
| EpubCheck 4.0.1 does not properly restrict resolving external entities when parsing XML in EPUB files during validation. An attacker who supplies a specially crafted EPUB file may be able to exploit this behavior to read arbitrary files, or have the victim execute arbitrary requests on his behalf, abusing the victim's trust relationship with other entities. | ||||
| CVE-2016-9078 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A |
| Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50. This vulnerability affects Firefox < 50.0.1. | ||||
| CVE-2016-8526 | 1 Hp | 1 Airwave | 2024-11-21 | N/A |
| Aruba Airwave all versions up to, but not including, 8.2.3.1 is vulnerable to an XML external entities (XXE). XXEs are a way to permit XML parsers to access storage that exist on external systems. If an unprivileged user is permitted to control the contents of XML files, XXE can be used as an attack vector. Because the XML parser has access to the local filesystem and runs with the permissions of the web server, it can access any file that is readable by the web server and copy it to an external system of the attacker's choosing. This could include files that contain passwords, which could then lead to privilege escalation. | ||||
| CVE-2016-6545 | 1 Ieasytec | 1 Itrackeasy | 2024-11-21 | N/A |
| Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password. | ||||
| CVE-2016-6154 | 2 Microsoft, Watchguard | 2 Windows, Fireware | 2024-11-21 | N/A |
| The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect). | ||||
| CVE-2016-20007 | 1 Rest\/json Project | 1 Rest\/json | 2024-11-21 | 7.5 High |
| The REST/JSON project 7.x-1.x for Drupal allows session name guessing, aka SA-CONTRIB-2016-033. NOTE: This project is not covered by Drupal's security advisory policy. | ||||