Security Vulnerabilities - CVEs Published In January 2017
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
CVSS Score
7.5
EPSS Score
0.009
Published
2017-01-23
The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
CVSS Score
5.3
EPSS Score
0.002
Published
2017-01-23
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-01-23
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-01-23
mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-01-23
Terminology 0.7.0 allows remote attackers to execute arbitrary commands via escape sequences that modify the window title and then are written to the terminal, a similar issue to CVE-2003-0063.
CVSS Score
7.8
EPSS Score
0.006
Published
2017-01-23
Stack-based buffer overflow in the ValidateMove function in frontend/move.cc in GNU Chess (aka gnuchess) before 6.2.4 might allow context-dependent attackers to execute arbitrary code via a large input, as demonstrated when in UCI mode.
CVSS Score
9.8
EPSS Score
0.032
Published
2017-01-23
Multiple cross-site scripting (XSS) vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page or (2) action parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-01-23
Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the (2) view, (3) mark, or (4) change parameter.
CVSS Score
8.8
EPSS Score
0.021
Published
2017-01-23
Untrusted search path vulnerability in the installer for TrueCrypt 7.2 and 7.1a, VeraCrypt before 1.17-BETA, and possibly other products allows local users to execute arbitrary code with administrator privileges and conduct DLL hijacking attacks via a Trojan horse DLL in the "application directory", as demonstrated with the USP10.dll, RichEd20.dll, NTMarta.dll and SRClient.dll DLLs.
CVSS Score
7.8
EPSS Score
0.002
Published
2017-01-23