» 2017 » 12월

CVE-2017-17954

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-17954

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid parameter.

Source: CVE-2017-17954

CVE-2017-17951

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-17951

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid parameter.

Source: CVE-2017-17951

CVE-2017-17952

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-17952

PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail address.

Source: CVE-2017-17952

CVE-2017-17960

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-17960

PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerupd.php.

Source: CVE-2017-17960

CVE-2017-17950

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-17950

Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid parameter.

Source: CVE-2017-17950

CVE-2017-15667

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-15667

In Flexense SysGauge Server 3.6.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221.

Source: CVE-2017-15667

CVE-2017-15886

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-15886

Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.

Source: CVE-2017-15886

CVE-2017-15892

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-15892

Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter.

Source: CVE-2017-15892

CVE-2017-5641

Posted on 2017년 12월 29일2017년 12월 29일 by admin

CVE-2017-5641

Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.

Source: CVE-2017-5641

CVE-2017-17940

Posted on 2017년 12월 28일2017년 12월 28일 by admin

CVE-2017-17940

PHP Scripts Mall Single Theater Booking has XSS via the title parameter to admin/sitesettings.php.

Source: CVE-2017-17940