LiveActive security incident?Get immediate response
CVE archive

May 2017

Browse CVE records published in May 2017, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 997 matching CVEs · Page 2 of 20.

Critical · CVSS 9.8

CVE-2017-14478: In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_...

In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Linux), a specially crafted MMM protocol message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm\_agentd process. An attacker that can initiate a TCP session with mmm\_agentd can trigger this vulnerability.

Published May 9, 2018 · Updated Sep 17, 2024

Medium · CVSS 6.8

CVE-2017-5535: TIBCO DataSynapse GridServer improper use of encryption

The GridServer Broker, GridServer Driver, and GridServer Engine components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities related to both the improper use of encryption mechanisms and the use of weak ciphers. A malicious actor could theoretically compromise the traffic between any of the components. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.

Published May 1, 2018 · Updated Sep 17, 2024

Medium · CVSS 6.3

CVE-2017-5536: TIBCO DataSynapse GridServer manager component vulnerable to cross-site scripting attacks

The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.

Published May 1, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-9635: Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges.

Schneider Electric Ampla MES 6.4 provides capability to configure users and their privileges. When Ampla MES users are configured to use Simple Security, a weakness in the password hashing algorithm could be exploited to reverse the user's password. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.

Published May 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-15855: In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using t...

In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel before security patch level 2018-04-05, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in user space. An unchecked userspace value (ioctl_ptr->len) is used to copy contents to a kernel buffer which can lead to kernel buffer overflow.

Published May 17, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-16003: windows-build-tools is a module for installing C++ Build Tools for Windows using npm.

windows-build-tools is a module for installing C++ Build Tools for Windows using npm. windows-build-tools versions below 1.0.0 download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Published May 29, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-9225: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in...

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.

Published May 24, 2017 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-9138: There is a debug-interface vulnerability on some Tenda routers (FH1202/F1202/F1200: versions before 1.2.0.20).

There is a debug-interface vulnerability on some Tenda routers (FH1202/F1202/F1200: versions before 1.2.0.20). After connecting locally to a router in a wired or wireless manner, one can bypass intended access restrictions by sending shell commands directly and reading their results, or by entering shell commands that change this router's username and password.

Published May 21, 2017 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-6289: In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains...

In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains a memory corruption (due to unusual root cause) vulnerability, which if run within the speculative execution of the TEE, may lead to local escalation of privileges. This issue is rated as critical. Android: A-72830049. Reference: N-CVE-2017-6289.

Published May 10, 2018 · Updated Sep 17, 2024

High · CVSS 7.5

CVE-2017-14436: An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1...

An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA\_CFG2.ini" without a cookie header to trigger this vulnerability.

Published May 14, 2018 · Updated Sep 17, 2024

Critical · CVSS 9.8

CVE-2017-14476: In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_ag...

In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Solaris), a specially crafted MMM protocol message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm\_agentd process. An attacker that can initiate a TCP session with mmm\_agentd can trigger this vulnerability.

Published May 9, 2018 · Updated Sep 17, 2024

Critical · CVSS 9.8

CVE-2017-14481: In the MMM::Agent::Helpers::Network::send_arp function in MySQL Multi-Master Replication Manager (MMM) mmm_...

In the MMM::Agent::Helpers::Network::send_arp function in MySQL Multi-Master Replication Manager (MMM) mmm_agentd 2.2.1 (for Solaris), a specially crafted MMM protocol message can cause a shell command injection resulting in arbitrary command execution with the privileges of the mmm\_agentd process. An attacker that can initiate a TCP session with mmm\_agentd can trigger this vulnerability.

Published May 9, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-8898: Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, all...

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has stored XSS in the Announcements, allowing privilege escalation from an Invision Power Board moderator to an admin. An attack uses the announce_content parameter in an index.php?/modcp/announcements/&action=create request. This is related to the "<> Source" option.

Published May 11, 2017 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-8773: Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10.1.0.316, and Quick Heal AntiVirus Pro...

Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10.1.0.316, and Quick Heal AntiVirus Pro 10.1.0.316 are vulnerable to Out of Bounds Write on a Heap Buffer due to improper validation of dwCompressionSize of Microsoft WIM Header WIMHEADER_V1_PACKED. This vulnerability can be exploited to gain Remote Code Execution as well as Privilege Escalation.

Published May 4, 2017 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-9637: Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases.

Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from the connection string. Schneider Electric recommends that users of Ampla MES versions 6.4 and prior should upgrade to Ampla MES version 6.5 as soon as possible.

Published May 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2017-8899: Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Inform...

Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The primary cause is the ability to upload an SVG document with a crafted attribute such an onload; however, full path disclosure is required for exploitation.

Published May 11, 2017 · Updated Sep 17, 2024

High · CVSS 8.8

CVE-2017-14433: An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1...

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the remoteNetwork0= parameter in the "/goform/net\_Web\_get_value" uri to trigger this vulnerability.

Published May 14, 2018 · Updated Sep 17, 2024