Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

DATE CVE VULNERABILITY TITLE RISK
2017-12-14 CVE-2017-17518 Injection vulnerability in White Dune Project White Dune 0.30.10
swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
white-dune-project CWE-74
8.8
2017-12-14 CVE-2017-17517 Injection vulnerability in Sylpheed Project Sylpheed
libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
sylpheed-project CWE-74
8.8
2017-12-14 CVE-2017-17516 Injection vulnerability in Reddit Terminal Viewer Project Reddit Terminal Viewer 1.19.0
scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
reddit-terminal-viewer-project CWE-74
8.8
2017-12-14 CVE-2017-17515 Injection vulnerability in multiple products
etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
ecmwf debian CWE-74
8.8
2017-12-14 CVE-2017-17514 Injection vulnerability in multiple products
boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
network
low complexity
nip2-project debian CWE-74
8.8
2017-12-14 CVE-2017-17513 Injection vulnerability in TUG TEX Live
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
network
low complexity
tug CWE-74
8.8
2017-12-14 CVE-2017-17511 Injection vulnerability in multiple products
KildClient 3.1.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to prefs.c and worldgui.c.
network
low complexity
kildclient debian CWE-74
8.8
2017-12-12 CVE-2017-16680 Injection vulnerability in SAP Hana Extended Application Services 1.0
Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines.
network
low complexity
sap CWE-74
7.5
2017-12-11 CVE-2017-15708 Injection vulnerability in multiple products
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI).
network
low complexity
apache oracle CWE-74
critical
9.8
2017-12-11 CVE-2017-17523 Injection vulnerability in Lilypond 2.19.80
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument.
network
low complexity
lilypond CWE-74
8.8