Security Vulnerabilities - CVEs Published In January 2018
A member of the Plone 2.5-5.1rc1 site could set javascript in the home_page property of his profile, and have this executed when a visitor click the home page link on the author page.
CVSS Score
5.4
EPSS Score
0.003
Published
2018-01-03
Accessing private content via str.format in through-the-web templates and scripts in Plone 2.5-5.1rc1. This improves an earlier hotfix. Since the format method was introduced in Python 2.6, this part of the hotfix is only relevant for Plone 4 and 5.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-01-03
Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address
CVSS Score
8.1
EPSS Score
0.003
Published
2018-01-03
Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session (must be logged into Mautic) to use the Filemanager to download any file from the server that the web user has access to.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-01-03
Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-03
LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vulnerability, within the blog creation page, which can result in disruption of service and execution of javascript code.
CVSS Score
5.4
EPSS Score
0.003
Published
2018-01-03
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
CVSS Score
9.8
EPSS Score
0.059
Published
2018-01-03
Uninitialized stack variable vulnerability in NameValueParserEndElt (upnpreplyparse.c) in miniupnpd < 2.0 allows an attacker to cause Denial of Service (Segmentation fault and Memory Corruption) or possibly have unspecified other impact
CVSS Score
7.8
EPSS Score
0.002
Published
2018-01-03
QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripting in the user's real name field resulting in denial of service and performing unauthorised actions with an administrator user's account
CVSS Score
5.4
EPSS Score
0.002
Published
2018-01-03
Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration import functionality resulting in denial of service and possibly remote execution of code.
CVSS Score
8.8
EPSS Score
0.008
Published
2018-01-03