Security Vulnerabilities - CVEs Published In January 2018
The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-12
The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-12
Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to login.php; the (2) season_id parameter to themes/flixer/ajax/load_season.php; the (3) movie_id parameter to themes/flixer/ajax/get_rating.php; the (4) rating or (5) movie_id parameter to themes/flixer/ajax/update_rating.php; or the (6) id parameter to themes/flixer/ajax/set_player_source.php.
CVSS Score
9.8
EPSS Score
0.029
Published
2018-01-12
An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" parameter in the HTTP POST request.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-12
A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier allows unauthenticated remote attackers to execute arbitrary code in the context of a highly privileged account.
CVSS Score
9.8
EPSS Score
0.409
Published
2018-01-12
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection via the event_id parameter to event.php.
CVSS Score
9.8
EPSS Score
0.067
Published
2018-01-12
Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices.
CVSS Score
5.5
EPSS Score
0.001
Published
2018-01-12
cgi-bin/AZ_Retrain.cgi in Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices does not check for authentication, which allows remote attackers to cause a denial of service (WAN connectivity reset) via a direct request.
CVSS Score
7.5
EPSS Score
0.131
Published
2018-01-12
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.
CVSS Score
9.8
EPSS Score
0.147
Published
2018-01-12
Aztech ADSL DSL5018EN (1T1R), DSL705E, and DSL705EU devices allow remote attackers to obtain sensitive device configuration information via vectors involving the ROM file.
CVSS Score
9.8
EPSS Score
0.188
Published
2018-01-12