Security Vulnerabilities - CVEs Published In January 2018
SQL Injection exists in Easy Car Script 2014 via the s_order or s_row parameter to site_search.php.
CVSS Score
9.8
EPSS Score
0.011
Published
2018-01-24
SQL Injection exists in Flexible Poll 1.2 via the id parameter to mobile_preview.php or index.php.
CVSS Score
9.8
EPSS Score
0.054
Published
2018-01-24
A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-01-23
A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution. The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
CVSS Score
9.8
EPSS Score
0.009
Published
2018-01-23
Symantec Reporter 9.5 prior to 9.5.4.1 and 10.1 prior to 10.1.5.5 does not restrict excessive authentication attempts for management interface users. A remote attacker can use brute force search to guess a user password and gain access to Reporter.
CVSS Score
9.8
EPSS Score
0.069
Published
2018-01-23
install.php in Minecraft Servers List Lite before commit c1cd164 and Premium Minecraft Servers List before 2.0.4 does not sanitize input before saving database connection information in connect.php, which might allow remote attackers to execute arbitrary PHP code via the (1) database_server, (2) database_user, (3) database_password, or (4) database_name parameter.
CVSS Score
9.8
EPSS Score
0.033
Published
2018-01-23
SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allows remote attackers to execute arbitrary SQL commands via the search parameter to index.php/knowledge_base/get_article_suggestion/.
CVSS Score
9.8
EPSS Score
0.029
Published
2018-01-23
The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch.
CVSS Score
4.4
EPSS Score
0.001
Published
2018-01-23
The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access because of a Buffer Overflow.
CVSS Score
8.1
EPSS Score
0.303
Published
2018-01-23
The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
CVSS Score
6.0
EPSS Score
0.001
Published
2018-01-23