Search Results (5125 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-0154 1 Microsoft 3 Internet Explorer, Windows 10, Windows Server 2016 2025-04-20 N/A
Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windows Server 2016 does not enforce cross-domain policies, allowing attackers to access information from one domain and inject it into another via a crafted application, aka, "Internet Explorer Elevation of Privilege Vulnerability."
CVE-2016-2980 1 Ibm 1 Sametime 2025-04-20 N/A
The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exploiting a vulnerability in the way that the WebPlayer works. IBM X-Force ID: 113993.
CVE-2016-1155 1 Google 1 Android 2025-04-20 N/A
HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies.
CVE-2017-5636 1 Apache 1 Nifi 2025-04-20 N/A
In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.
CVE-2017-5630 1 Php 1 Pear 2025-04-20 7.5 High
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
CVE-2017-5585 1 Opentext 1 Documentum Content Server 2025-04-20 N/A
OpenText Documentum Content Server (formerly EMC Documentum Content Server) 7.3, when PostgreSQL Database is used and return_top_results_row_based config option is false, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML or DDL commands via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2520.
CVE-2017-14397 2 Anydesk, Microsoft 2 Anydesk, Windows 2025-04-20 N/A
AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability.
CVE-2016-3695 2 Linux, Redhat 2 Linux Kernel, Enterprise Linux 2025-04-20 N/A
The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set.
CVE-2015-2180 1 Roundcube 1 Webmail 2025-04-20 N/A
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
CVE-2017-17513 1 Tug 1 Tex Live 2025-04-20 N/A
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
CVE-2017-17519 1 Ocaml Batteries Project 1 Ocaml Batteries 2025-04-20 N/A
batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) 2.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17526 1 Giac Project 1 Giac 2025-04-20 N/A
Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17531 1 Gnu 1 Global 2025-04-20 N/A
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2015-8258 1 Axis 1 Axis Communications Firmware 2025-04-20 N/A
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
CVE-2017-17535 1 Gjots2 Project 1 Gjots2 2025-04-20 N/A
lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17534 1 Mensis Project 1 Mensis 2025-04-20 N/A
uiutil.c in Mensis 0.0.080507 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17521.
CVE-2017-17533 1 Tkabber Project 1 Tkabber 2025-04-20 N/A
default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the attack cannot occur because of the argument-parsing behavior of the Tcl exec function
CVE-2017-17532 1 Kiwi Project 1 Kiwi 2025-04-20 N/A
examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17530 1 Geomview 1 Geomview 2025-04-20 8.8 High
common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: this is disputed by a third party because no untrusted input can be used for the injection
CVE-2017-17529 1 Abisource 1 Abiword 2025-04-20 N/A
af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.