Security Vulnerabilities - CVEs Published In January 2018
An Unrestricted Upload Of File With Dangerous Type issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows a remote attacker to upload arbitrary files.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-01-12
Seagate Media Server in Seagate Personal Cloud has unauthenticated command injection in the uploadTelemetry and getLogs functions in views.py because .psp URLs are handled by the fastcgi.server component and shell metacharacters are mishandled.
CVSS Score
9.8
EPSS Score
0.378
Published
2018-01-12
A stack-based buffer overflow within GNOME gcab through 0.7.4 can be exploited by malicious attackers to cause a crash or, potentially, execute arbitrary code via a crafted .cab file.
CVSS Score
7.8
EPSS Score
0.008
Published
2018-01-12
In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks.
CVSS Score
6.5
EPSS Score
0.009
Published
2018-01-11
In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in epan/dissectors/packet-wcp.c by validating the available buffer length.
CVSS Score
6.5
EPSS Score
0.009
Published
2018-01-11
In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash. This was addressed in epan/tvbparse.c by limiting the recursion depth.
CVSS Score
7.5
EPSS Score
0.01
Published
2018-01-11
Multiple cross-site request forgery (CSRF) vulnerabilities in Family Connections CMS (aka FCMS) 2.9 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add news via an add action to familynews.php or (2) add a prayer via an add action to prayers.php.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-01-11
Multiple cross-site scripting (XSS) vulnerabilities in the Shout Reports in the DragonByte Technologies vBShout module before 6.0.6 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the (1) reportreason parameter in actions/doreport.php or (2) modnotes parameter in actions/updatereport.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-11
Multiple cross-site scripting (XSS) vulnerabilities in the DragonByte Technologies vbActivity module before 3.0.1 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the reason parameter in (1) actions/nominatemedal.php or (2) actions/requestmedal.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-11
Multiple cross-site scripting (XSS) vulnerabilities in actions/main.php in the DragonByte Technologies Forumon RPG module before 1.0.8 for vBulletin when creating a new monster, allow remote attackers to inject arbitrary web script or HTML via the (1) monster[title] or (2) monster[description] parameters.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-01-11