Security Vulnerabilities - CVEs Published In February 2018
Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent XSS.
CVSS Score
5.4
EPSS Score
0.01
Published
2018-02-04
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by sending IOCTL 0x80002010 and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
CVSS Score
7.8
EPSS Score
0.032
Published
2018-02-04
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.
CVSS Score
9.1
EPSS Score
0.005
Published
2018-02-03
An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by connecting to the filter communication port and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.
CVSS Score
7.8
EPSS Score
0.003
Published
2018-02-03
An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Boxmgmt CLI may allow a malicious user with boxmgmt privileges to bypass Boxmgmt CLI and run arbitrary commands with root privileges.
CVSS Score
6.7
EPSS Score
0.002
Published
2018-02-03
An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Admin CLI may allow a malicious user with admin privileges to escape from the restricted shell to an interactive shell and run arbitrary commands with root privileges.
CVSS Score
6.7
EPSS Score
0.015
Published
2018-02-03
mod-gnutls does not validate client certificates when "GnuTLSClientVerify require" is set in a directory context, which allows remote attackers to spoof clients via a crafted certificate.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-02-03
The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-02-03
Path traversal vulnerability in the administrative panel in KonaKart eCommerce Platform version 8.7 and earlier could allow an attacker to download system files, as well as upload specially crafted JSP files and in turn gain access to the server.
CVSS Score
9.8
EPSS Score
0.016
Published
2018-02-03
The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19e does not properly encode user input, which leads to a reflected file download vulnerability, and allows remote attackers to run arbitrary programs.
CVSS Score
8.6
EPSS Score
0.004
Published
2018-02-03