LiveActive security incident?Get immediate response
CVE archive

November 2017

Browse CVE records published in November 2017, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1094 matching CVEs · Page 1 of 22.

High · CVSS 8.6

CVE-2017-16715: An Information Exposure issue was discovered in Moxa NPort 5110 Version 2.2, NPort 5110 Version 2.4, NPort...

An Information Exposure issue was discovered in Moxa NPort 5110 Version 2.2, NPort 5110 Version 2.4, NPort 5110 Version 2.6, NPort 5110 Version 2.7, NPort 5130 Version 3.7 and prior, and NPort 5150 Version 3.7 and prior. An attacker may be able to exploit a flaw in the handling of Ethernet frame padding that may allow for information exposure.

Published Nov 16, 2017 · Updated Jun 2, 2026

Medium · CVSS 5.9

CVE-2017-16539: The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scs...

The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Published Nov 4, 2017 · Updated Jan 27, 2026

High · CVSS 8.6

CVE-2017-20211: UCanCode E-XD++ Visualization Enterprise Suite Untrusted Pointer Dereference RCE

UCanCode E-XD++ Visualization Enterprise Suite contains an untrusted pointer dereference vulnerability via the TKDRAWCAD.TKDrawCADCtrl.1 ActiveX control. This is because it exposes a RotateShape method that dereferences a user-supplied pointer without sufficient validation. A crafted input may cause the control to dereference an attacker-controlled pointer, enabling remote code execution in the context of the hosting process. The vulnerability requires user interaction (instantiation of the ActiveX control via a web page or a file).

Published Nov 12, 2025 · Updated Nov 13, 2025

Critical · CVSS 9.8

CVE-2017-20210: Photo Station

Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research.

Published Nov 11, 2025 · Updated Nov 13, 2025

High · CVSS 7.8 · CISA KEV

CVE-2017-16651: Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to a...

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests.

Published Nov 9, 2017 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2017-11882: Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service P...

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

Published Nov 15, 2017 · Updated Oct 21, 2025

Low · CVSS 3.8

CVE-2017-9369: In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, an information discl...

In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, an information disclosure vulnerability in the default configuration of the QNX SDP could allow an attacker to gain information relating to memory layout of higher privileged processes by manipulating environment variables that influence the loader.

Published Nov 14, 2017 · Updated Aug 26, 2025

Low · CVSS 2.6

CVE-2017-9371: In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity...

In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity vulnerability in the default configuration of the QNX SDP could allow an attacker being able to reduce the entropy of the PRNG, making other blended attacks more practical by gaining control over environmental factors that influence seed generation.

Published Nov 14, 2017 · Updated Aug 22, 2025

Critical · CVSS 9.6

CVE-2017-3891: In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the...

In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevation of privilege vulnerability in the default configuration of the QNX SDP with QNet enabled on networks comprising two or more QNet nodes could allow an attacker to access local and remote files or take ownership of files on other QNX nodes regardless of permissions by executing commands targeting arbitrary nodes from a secondary QNX 6.6.0 QNet node.

Published Nov 14, 2017 · Updated Aug 22, 2025

Low · CVSS 1.9

CVE-2017-3893: Incomplete vulnerability mitigations

In BlackBerry QNX Software Development Platform (SDP) 6.6.0, the default configuration of the QNX SDP system did not in all circumstances prevent attackers from modifying the GOT or PLT tables with buffer overflow attacks.

Published Nov 14, 2017 · Updated Jul 22, 2025

High · CVSS 8.8

CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of th...

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Published Nov 20, 2017 · Updated Jun 9, 2025

Unknown · CVSS Not scored

CVE-2017-16568: Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Radio" f...

Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Radio" functionality. This vulnerability allows attackers to inject malicious JavaScript payloads, which become permanently stored on the server and execute when a user plays the compromised radio stream. Exploitation of this vulnerability can lead to Session hijacking and unauthorized access, Persistent manipulation of web content within the application, and Phishing or malicious redirects to external domains. This vulnerability can be exploited to manipulate media server behavior in enterprise and home network environments.

Published Nov 9, 2017 · Updated Feb 4, 2025

Unknown · CVSS Not scored

CVE-2017-16567: Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Favorite...

Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Favorites" feature. This vulnerability allows remote attackers to inject and permanently store malicious JavaScript payloads, which are executed when users access the affected functionality. Exploitation of this vulnerability can lead to Session Hijacking and Credential Theft, Execution of unauthorized actions on behalf of users, and Exfiltration of sensitive data. This vulnerability presents a potential risk for widespread exploitation in connected IoT environments.

Published Nov 9, 2017 · Updated Feb 4, 2025

Medium · CVSS 6.2

CVE-2017-13321: In SensorService::isDataInjectionEnabled of frameworks/native/services/sensorservice/SensorService.cpp, the...

In SensorService::isDataInjectionEnabled of frameworks/native/services/sensorservice/SensorService.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Published Nov 27, 2024 · Updated Nov 29, 2024

High · CVSS 8.8

CVE-2017-11076: Use of Out-of-range Pointer Offset in Video

On some hardware revisions where VP9 decoding is hardware-accelerated, the frame size is not programmed correctly into the decoder hardware which can lead to an invalid memory access by the decoder.

Published Nov 26, 2024 · Updated Nov 26, 2024

High · CVSS 7.8

CVE-2017-13315: In writeToParcel and createFromParcel of DcParamObject.java, there is a permission bypass due to a write si...

In writeToParcel and createFromParcel of DcParamObject.java, there is a permission bypass due to a write size mismatch. This could lead to an elevation of privileges where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation.

Published Nov 19, 2024 · Updated Nov 20, 2024

High · CVSS 7.8

CVE-2017-13310: In createFromParcel of ViewPager.java, there is a possible read/write serialization issue leading to a perm...

In createFromParcel of ViewPager.java, there is a possible read/write serialization issue leading to a permissions bypass. This could lead to local escalation of privilege where an app can start an activity with system privileges with no additional execution privileges needed. User interaction is not needed for exploitation.

Published Nov 15, 2024 · Updated Nov 19, 2024

High · CVSS 7.8

CVE-2017-13311: In the read() function of ProcessStats.java, there is a possible read/write serialization issue leading to...

In the read() function of ProcessStats.java, there is a possible read/write serialization issue leading to a permissions bypass. This could lead to local escalation of privilege where an app can start an activity with system privileges with no additional execution privileges needed. User interaction is not needed for exploitation.

Published Nov 15, 2024 · Updated Nov 19, 2024

High · CVSS 7.8

CVE-2017-13312: In createFromParcel of MediaCas.java, there is a possible parcel read/write mismatch due to improper input...

In createFromParcel of MediaCas.java, there is a possible parcel read/write mismatch due to improper input validation. This could lead to local escalation of privilege where an app can start an activity with system privileges with no additional execution privileges needed. User interaction is not needed for exploitation.

Published Nov 15, 2024 · Updated Nov 19, 2024

High · CVSS 7.8

CVE-2017-13314: In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass du...

In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. This could lead to local escalation of privilege allowing users to access non-VPN networks, when they are supposed to be restricted to the VPN networks, with no additional execution privileges needed. User interaction is not needed for exploitation.

Published Nov 15, 2024 · Updated Nov 19, 2024

Unknown · CVSS Not scored

CVE-2017-14027: A Use of Hard-coded Credentials issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G...

A Use of Hard-coded Credentials issue was discovered in Korenix JetNet JetNet5018G version 1.4, JetNet5310G version 1.4a, JetNet5428G-2G-2FX version 1.4, JetNet5628G-R version 1.4, JetNet5628G version 1.4, JetNet5728G-24P version 1.4, JetNet5828G version 1.1d, JetNet6710G-HVDC version 1.1e, and JetNet6710G version 1.1. The software uses undocumented hard-coded credentials that may allow an attacker to gain remote access.

Published Nov 1, 2017 · Updated Nov 14, 2024

Unknown · CVSS Not scored

CVE-2017-7739: A reflected Cross-site Scripting (XSS) vulnerability in web proxy disclaimer response web pages in Fortinet...

A reflected Cross-site Scripting (XSS) vulnerability in web proxy disclaimer response web pages in Fortinet FortiOS 5.6.0, 5.4.0 to 5.4.5, 5.2.0 to 5.2.11 allows an unauthenticated attacker to inject arbitrary web script or HTML in the context of the victim's browser via sending a maliciously crafted URL to the victim.

Published Nov 13, 2017 · Updated Oct 25, 2024

Unknown · CVSS Not scored

CVE-2017-14186: A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and belo...

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4 and below versions under SSL VPN web portal allows a remote user to inject arbitrary web script or HTML in the context of the victim's browser via the login redir parameter. An URL Redirection attack may also be feasible by injecting an external URL via the affected parameter.

Published Nov 29, 2017 · Updated Oct 25, 2024

Unknown · CVSS Not scored

CVE-2017-10266: Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core).

Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middleware (subcomponent: Core). Supported versions that are affected are 11.1.1, 12.1.1, 12.1.3 and 12.2.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via Jolt to compromise Oracle Tuxedo. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Tuxedo accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Published Nov 14, 2017 · Updated Oct 4, 2024