Security Vulnerabilities - CVEs Published In February 2018
Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-02-06
In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virtual server using the URL categorization feature may cause the Traffic Management Microkernel (TMM) to produce a core file when it receives malformed URLs during categorization.
CVSS Score
6.8
EPSS Score
0.007
Published
2018-02-06
NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process. This issue is rated as high. Product: Android. Version: N/A. Android: A-38027496. Reference: N-CVE-2017-6258.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-02-06
NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnerability when running in media server which may cause an out of bounds write and could lead to local code execution in a privileged process. This issue is rated as high. Product: Android. Version: N/A. Android: A-65023166. Reference: N-CVE-2017-6279.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-02-06
The Grammarly extension before 2018-02-02 for Chrome allows remote attackers to discover authentication tokens via an 'action: "user"' request to iframe.gr_-ifr, because the exposure of these tokens is not restricted to any specific web site.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-02-06
West Wind Web Server 6.x does not require authentication for /ADMIN.ASP.
CVSS Score
8.8
EPSS Score
0.004
Published
2018-02-06
SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.
CVSS Score
9.8
EPSS Score
0.026
Published
2018-02-05
Information Leakage exists in the jLike 1.0 component for Joomla! via a task=getUserByCommentId request.
CVSS Score
7.5
EPSS Score
0.15
Published
2018-02-05
In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as used in Parsec before 140-3, insufficient Origin header validation (accepting an arbitrary substring match) for WebSocket API requests allows remote attackers to bypass intended access restrictions. In Parsec, this means full control over the victim's computer.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-02-05
SQL Injection exists in the Zh GoogleMap 8.4.0.0 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
CVSS Score
9.8
EPSS Score
0.014
Published
2018-02-05