LiveActive security incident?Get immediate response
CVE archive

2017 CVE Archive

Browse CVE records published in 2017 CVE Archive, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 14752 matching CVEs · Page 4 of 296.

Medium · CVSS 6.1

CVE-2017-1303: IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting.

IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125457.

Published Jul 31, 2017 · Updated Dec 4, 2025

Critical · CVSS 9.1

CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source add...

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.

Published May 1, 2017 · Updated Dec 3, 2025

Critical · CVSS 9.8

CVE-2017-7375: A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did n...

A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable).

Published Feb 19, 2018 · Updated Dec 3, 2025

Critical · CVSS 9.2

CVE-2017-20205: Valve Source SDK Stack-Based Buffer Overflow RCE

Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When `ParseKeyValue` processes a collisionpair rule longer than the destination buffer (256 bytes), an overflow of the stack buffer `szToken` can occur and overwrite the function return address. A remote attacker can trigger the vulnerable code by supplying a specially crafted ragdoll model which causes the oversized collisionpair rule to be parsed, resulting in remote code execution on affected clients or servers. Valve has addressed this issue in many of their Source games, but independently-developed games must manually apply patch.

Published Oct 15, 2025 · Updated Nov 21, 2025

Critical · CVSS 9.3

CVE-2017-20203: NetSarang v5.0 Malicious Backdoor Supply Chain Compromise

NetSarang Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220 contain a malicious nssock2.dll that implements a multi-stage, DNS-based backdoor. The dormant library contacts a C2 DNS server via a specially crafted TXT record for a month‑generated domain. After receiving a decryption key, it then downloads and executes arbitrary code, creates an encrypted virtual file system (VFS) in the registry, and grants the attacker full remote code execution, data exfiltration, and persistence. NetSarang released builds for each product line that remediated the compromise: Xmanager Enterprise Build 1236, Xmanager Build 1049, Xshell Build 1326, Xftp Build 1222, and Xlpd Build 1224. Kaspersky Lab identified an instance of exploitation in the wild in August 2017.

Published Oct 9, 2025 · Updated Nov 21, 2025

Critical · CVSS 9.3

CVE-2017-20201: CCleaner v5.33.6162 & CCleaner Cloud v1.07.3191 Malicious Backdoor Supply Chain Compromise

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 (32-bit builds) contained a malicious pre-entry-point loader that diverts execution from __scrt_common_main_seh into a custom loader. That loader decodes an embedded blob into shellcode, allocates executable heap memory, resolves Windows API functions at runtime, and transfers execution to an in-memory payload. The payload performs anti-analysis checks, gathers host telemetry, encodes the data with a two-stage obfuscation, and attempts HTTPS exfiltration to hard-coded C2 servers or month-based DGA domains. Potential impacts include remote data collection and exfiltration, stealthy in-memory execution and persistence, and potential lateral movement. CCleaner was developed by Piriform, which was acquired by Avast in July 2017; Avast later merged with NortonLifeLock to form the parent company now known as Gen Digital. According to vendor advisories, the compromised CCleaner build was released on August 15, 2017 and remediated on September 12, 2017 with v5.34; the compromised CCleaner Cloud build was released on August 24, 2017 and remediated on September 15, 2017 with v1.07.3214.

Published Oct 8, 2025 · Updated Nov 21, 2025

Medium · CVSS 5.1

CVE-2017-20209: Nagios Fusion < 4.0.1 XSS via Users/Servers Page

Nagios Fusion versions prior to 4.0.1 are vulnerable to cross-site scripting (XSS) via the Users and Servers pages. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser.

Published Oct 30, 2025 · Updated Nov 17, 2025

High · CVSS 8.6

CVE-2017-20211: UCanCode E-XD++ Visualization Enterprise Suite Untrusted Pointer Dereference RCE

UCanCode E-XD++ Visualization Enterprise Suite contains an untrusted pointer dereference vulnerability via the TKDRAWCAD.TKDrawCADCtrl.1 ActiveX control. This is because it exposes a RotateShape method that dereferences a user-supplied pointer without sufficient validation. A crafted input may cause the control to dereference an attacker-controlled pointer, enabling remote code execution in the context of the hosting process. The vulnerability requires user interaction (instantiation of the ActiveX control via a web page or a file).

Published Nov 12, 2025 · Updated Nov 13, 2025

Critical · CVSS 9.8

CVE-2017-20210: Photo Station

Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research.

Published Nov 11, 2025 · Updated Nov 13, 2025

Unknown · CVSS Not scored

CVE-2017-9798: Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be...

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Published Sep 18, 2017 · Updated Nov 4, 2025

Medium · CVSS 6.6

CVE-2017-7938: Stack-based buffer overflow in DMitry (Deepmagic Information Gathering Tool) version 1.3a (Unix) allows att...

Stack-based buffer overflow in DMitry (Deepmagic Information Gathering Tool) version 1.3a (Unix) allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long argument. An example threat model is automated execution of DMitry with hostname strings found in local log files.

Published Apr 20, 2017 · Updated Nov 3, 2025

Medium · CVSS 4.3

CVE-2017-20162: vercel ms index.js parse redos

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Published Jan 5, 2023 · Updated Nov 3, 2025