Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In October 2017
CVE-2017-15297
SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993.
CVSS Score
7.5
EPSS Score
0.026
Published
2017-10-16
CVE-2016-4461
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVSS Score
8.8
EPSS Score
0.014
Published
2017-10-16
CVE-2017-14952
Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.
CVSS Score
9.8
EPSS Score
0.04
Published
2017-10-16
CVE-2017-15293
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
CVSS Score
9.8
EPSS Score
0.006
Published
2017-10-16
CVE-2017-15294
The Java administration console in SAP CRM has XSS. This is SAP Security Note 2478964.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-10-16
CVE-2014-3702
Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot dot) the session parameter.
CVSS Score
9.1
EPSS Score
0.011
Published
2017-10-16
CVE-2014-7851
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-10-16
CVE-2014-8087
Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-10-16
CVE-2014-8621
SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.
CVSS Score
9.8
EPSS Score
0.025
Published
2017-10-16
CVE-2014-9147
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
CVSS Score
7.5
EPSS Score
0.179
Published
2017-10-16


Products
Pricing
Contact Us

Shodan ® - All rights reserved