Search Results (Refine Search)
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2017-7344 |
A privilege escalation in Fortinet FortiClient Windows 5.4.3 and earlier as well as 5.6.0 allows attacker to gain privilege via exploiting the Windows "security alert" dialog thereby popping up when the "VPN before logon" feature is enabled and an untrusted certificate chain. Published: December 14, 2017; 1:29:00 PM -0500 |
V3.0: 8.1 HIGH V2.0: 7.6 HIGH |
CVE-2017-17535 |
lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:01 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17534 |
uiutil.c in Mensis 0.0.080507 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17521. Published: December 14, 2017; 11:29:01 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17533 |
default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the attack cannot occur because of the argument-parsing behavior of the Tcl exec function Published: December 14, 2017; 11:29:01 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17532 |
examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:01 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17531 |
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:01 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17530 |
common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: this is disputed by a third party because no untrusted input can be used for the injection Published: December 14, 2017; 11:29:00 AM -0500 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17529 |
af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17528 |
backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17527 |
delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer has indicated that the code referencing the BROWSER environment variable is never used Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17526 |
Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17525 |
guiclient/guiclient.cpp in xTuple PostBooks 4.7.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17524 |
library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17522 |
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17521 |
uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17520 |
tools/url_handler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has reported that this is intentional behavior, because the documentation states "url_handler.pl was designed to work together with tin which only issues shell escaped absolute URLs. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17519 |
batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) 2.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17518 |
swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: This issue is being disputed as not being a vulnerability because “the current version of white_dune (1.369 at https://wdune.ourproject.org/) do not use a "BROWSER environment variable". Instead, the "browser" variable is read from the $HOME/.dunerc file (or from the M$Windows registry). It is configurable in the "options" menu. The default is chosen in the ./configure script, which tests various programs, first tested is "xdg-open". Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17517 |
libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2017-17516 |
scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. Published: December 14, 2017; 11:29:00 AM -0500 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |