Security Vulnerabilities - CVEs Published In January 2018
EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL pointer dereference in the CGI handler resulting in memory corruption or denial of service.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-01-03
The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO C++ Libraries before 1.8 does not properly restrict the filename value in the ZIP header, which allows attackers to conduct absolute path traversal attacks during the ZIP decompression, and possibly create or overwrite arbitrary files, via a crafted ZIP file, related to a "file path injection vulnerability".
CVSS Score
6.5
EPSS Score
0.005
Published
2018-01-03
Linux Dash up to version v2 is vulnerable to multiple command injection vulnerabilities in the way module names are parsed and then executed resulting in code execution on the server, potentially as root.
CVSS Score
7.8
EPSS Score
0.003
Published
2018-01-03
By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an attacker could send you to his own website. On its own this is not so bad: the attacker could more easily link directly to his own website instead. But in combination with another attack, you could be sent to the Plone login form and login, then get redirected to the specific url, and then get a second redirect to the attacker website. (The specific url can be seen by inspecting the hotfix code, but we don't want to make it too easy for attackers by spelling it out here.)
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-03
Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, which allows local users to obtain sensitive authentication information via standard filesystem operations.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-01-03
CVE-2017-1000486
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
Known exploited
CVSS Score
9.8
EPSS Score
0.94
Published
2018-01-03
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score
9.8
EPSS Score
0.132
Published
2018-01-03
Online Ticket Booking has XSS via the admin/sitesettings.php keyword parameter.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-01-03
Online Ticket Booking has CSRF via admin/movieedit.php.
CVSS Score
6.8
EPSS Score
0.001
Published
2018-01-03
Online Ticket Booking has XSS via the admin/manageownerlist.php contact parameter.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-01-03