Security Vulnerabilities - CVEs Published In January 2018
CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templating injection in some core modules, resulting in unauthenticated PHP code execution.
CVSS Score
9.8
EPSS Score
0.01
Published
2018-01-02
CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template Injection in some core components, resulting in local file read before 2.2, and local file inclusion since 2.2.1
CVSS Score
7.8
EPSS Score
0.002
Published
2018-01-02
Eleix Openhacker version 0.1.47 is vulnerable to an SQL injection in the account registration and login component resulting in information disclosure and remote code execution
CVSS Score
9.8
EPSS Score
0.013
Published
2018-01-02
ImageMagick 7.0.7-1 and older version are vulnerable to null pointer dereference in the MagickCore component and might lead to denial of service
CVSS Score
6.5
EPSS Score
0.018
Published
2018-01-02
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date-based) password to the admin, which makes it easier for remote attackers to obtain access by predicting this new password. This is related to the use of gmdate for password creation in fn_connect.php.
CVSS Score
9.8
EPSS Score
0.369
Published
2018-01-02
The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php system($_GET[cmd]); ?> in a login request.
CVSS Score
9.8
EPSS Score
0.312
Published
2018-01-02
Passbolt API version 1.6.4 and older are vulnerable to a XSS in the url field on the password workspace
CVSS Score
5.4
EPSS Score
0.003
Published
2018-01-02
Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability in the bank transactions component resulting in arbitrary code execution in the browser.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-02
The ILLID Share This Image plugin before 1.04 for WordPress has XSS via the sharer.php url parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-02
A Path Traversal issue was discovered in Schneider Electric Pelco VideoXpert Enterprise all versions prior to 2.1. By sniffing communications, an unauthorized person can execute a directory traversal attack resulting in authentication bypass or session hijack.
CVSS Score
6.9
EPSS Score
0.005
Published
2018-01-02