Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-12-14 | CVE-2017-17514 | Injection vulnerability in multiple products boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. | 8.8 |
| 2017-12-14 | CVE-2017-17513 | Injection vulnerability in TUG TEX Live TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua. | 8.8 |
| 2017-12-14 | CVE-2017-17511 | Injection vulnerability in multiple products KildClient 3.1.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to prefs.c and worldgui.c. | 8.8 |
| 2017-12-12 | CVE-2017-16680 | Injection vulnerability in SAP Hana Extended Application Services 1.0 Two potential audit log injections in SAP HANA extended application services 1.0, advanced model: 1) Certain HTTP/REST endpoints of controller service are missing user input validation which could allow unprivileged attackers to forge audit log lines. | 7.5 |
| 2017-12-11 | CVE-2017-15708 | Injection vulnerability in multiple products In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). | 9.8 |
| 2017-12-11 | CVE-2017-17523 | Injection vulnerability in Lilypond 2.19.80 lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument. | 8.8 |
| 2017-12-11 | CVE-2017-17512 | Injection vulnerability in Sensible-Utils Project Sensible-Utils sensible-browser in sensible-utils before 0.0.11 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument. | 8.8 |
| 2017-11-17 | CVE-2017-1000217 | Injection vulnerability in Opencast Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0. | 8.8 |
| 2017-11-16 | CVE-2017-16719 | Injection vulnerability in Moxa products An Injection issue was discovered in Moxa NPort 5110 Version 2.2, NPort 5110 Version 2.4, NPort 5110 Version 2.6, NPort 5110 Version 2.7, NPort 5130 Version 3.7 and prior, and NPort 5150 Version 3.7 and prior. | 7.5 |
| 2017-11-15 | CVE-2017-8809 | Injection vulnerability in multiple products api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability. | 9.8 |