Search Results (5130 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-17531 1 Gnu 1 Global 2025-04-20 N/A
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17532 1 Kiwi Project 1 Kiwi 2025-04-20 N/A
examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17533 1 Tkabber Project 1 Tkabber 2025-04-20 N/A
default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the attack cannot occur because of the argument-parsing behavior of the Tcl exec function
CVE-2017-17534 1 Mensis Project 1 Mensis 2025-04-20 N/A
uiutil.c in Mensis 0.0.080507 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17521.
CVE-2017-17535 1 Gjots2 Project 1 Gjots2 2025-04-20 N/A
lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17520 1 Debian 1 Tin 2025-04-20 8.8 High
tools/url_handler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has reported that this is intentional behavior, because the documentation states "url_handler.pl was designed to work together with tin which only issues shell escaped absolute URLs.
CVE-2015-5227 1 Inboundnow 1 Wordpress Landing Pages 2025-04-20 N/A
The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter.
CVE-2017-17519 1 Ocaml Batteries Project 1 Ocaml Batteries 2025-04-20 N/A
batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) 2.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-2735 1 Huawei 2 Y6 Pro, Y6 Pro Firmware 2025-04-20 N/A
TIT-AL00 smartphones with software versions earlier before TIT-AL00C583B214 have a exposed system interface vulnerability. The software provides a system interface for interaction with external applications, but calling the interface is not properly restricted. An attacker could trick the user into installing a malicious application to call the interface and modify the system properties.
CVE-2016-3695 2 Linux, Redhat 2 Linux Kernel, Enterprise Linux 2025-04-20 N/A
The einj_error_inject function in drivers/acpi/apei/einj.c in the Linux kernel allows local users to simulate hardware errors and consequently cause a denial of service by leveraging failure to disable APEI error injection through EINJ when securelevel is set.
CVE-2017-6031 1 Certec Edv Gmbh 1 Atvise Scada 2025-04-20 N/A
A Header Injection issue was discovered in Certec EDV GmbH atvise scada prior to Version 3.0. An "improper neutralization of HTTP headers for scripting syntax" issue has been identified, which may allow remote code execution.
CVE-2017-6748 1 Cisco 2 Web Security Appliance, Web Security Virtual Appliance 2025-04-20 N/A
A vulnerability in the CLI parser of the Cisco Web Security Appliance (WSA) could allow an authenticated, local attacker to perform command injection and elevate privileges to root. The attacker must authenticate with valid operator-level or administrator-level credentials. Affected Products: virtual and hardware versions of Cisco Web Security Appliance (WSA). More Information: CSCvd88855. Known Affected Releases: 10.1.0-204. Known Fixed Releases: 10.5.1-270 10.1.1-234.
CVE-2017-7459 1 Ntop 1 Ntopng 2025-04-20 N/A
ntopng before 3.0 allows HTTP Response Splitting.
CVE-2017-8809 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2025-04-20 N/A
api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29.2 has a Reflected File Download vulnerability.
CVE-2013-4578 2 Oracle, Redhat 5 Jdk, Jre, Enterprise Linux and 2 more 2025-04-20 N/A
jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.
CVE-2017-17518 1 White Dune Project 1 White Dune 2025-04-20 N/A
swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: This issue is being disputed as not being a vulnerability because “the current version of white_dune (1.369 at https://wdune.ourproject.org/) do not use a "BROWSER environment variable". Instead, the "browser" variable is read from the $HOME/.dunerc file (or from the M$Windows registry). It is configurable in the "options" menu. The default is chosen in the ./configure script, which tests various programs, first tested is "xdg-open".
CVE-2017-17517 1 Sylpheed Project 1 Sylpheed 2025-04-20 N/A
libsylph/utils.c in Sylpheed through 3.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17516 1 Reddit Terminal Viewer Project 1 Reddit Terminal Viewer 2025-04-20 N/A
scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVE-2017-17515 2 Debian, Ecmwf 2 Debian Linux, Metview 2025-04-20 N/A
etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the code to access this environment variable is not enabled in the shipped product
CVE-2017-17514 2 Debian, Nip2 Project 2 Debian Linux, Nip2 2025-04-20 8.8 High
boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that this product does not use the BROWSER environment variable