Vulnerabilities > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-07-21 | CVE-2015-5195 | Improper Input Validation vulnerability in multiple products ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation. | 7.5 |
| 2017-07-21 | CVE-2015-5194 | Improper Input Validation vulnerability in multiple products The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands. | 7.5 |
| 2017-07-21 | CVE-2015-4639 | Cross-Site Request Forgery (CSRF) vulnerability in Koha Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name. | 8.8 |
| 2017-07-21 | CVE-2015-3932 | XML Injection (aka Blind XPath Injection) vulnerability in Netlock Mokka 2.7 Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object. | 7.8 |
| 2017-07-21 | CVE-2015-3931 | XML Injection (aka Blind XPath Injection) vulnerability in Microsec E-Szigno 3.2 Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object. | 7.8 |
| 2017-07-21 | CVE-2015-3640 | Code Injection vulnerability in PHPmybackuppro phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts. | 7.5 |
| 2017-07-21 | CVE-2015-3639 | Improper Input Validation vulnerability in PHPmybackuppro phpMyBackupPro 2.5 and earlier does not properly sanitize input strings, which allows remote authenticated users to execute arbitrary PHP code by storing a crafted string in a user configuration file. | 8.8 |
| 2017-07-21 | CVE-2015-3638 | Code Injection vulnerability in PHPmybackuppro phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable. | 8.8 |
| 2017-07-21 | CVE-2015-3198 | Information Exposure vulnerability in Redhat Jboss Wildfly Application Server 9.0.0 The Undertow module of WildFly 9.x before 9.0.0.CR2 and 10.x before 10.0.0.Alpha1 allows remote attackers to obtain the source code of a JSP page via a "/" at the end of a URL. | 7.5 |
| 2017-07-21 | CVE-2017-9930 | Cross-Site Request Forgery (CSRF) vulnerability in Greenpacket Dx-350 Firmware 2.8.9.5G1.4.8Atheeb Cross-Site Request Forgery (CSRF) exists in Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, as demonstrated by a request to ajax.cgi that enables UPnP. | 8.8 |