Security Vulnerabilities - CVEs Published In February 2018
SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a search with the keyword, artist, or username parameter.
CVSS Score
9.8
EPSS Score
0.014
Published
2018-02-02
The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-02-02
A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
CVSS Score
8.1
EPSS Score
0.003
Published
2018-02-02
Pointer dereference in subsystem in Intel Graphics Driver 15.40.x.x, 15.45.x.x, 15.46.x.x allows unprivileged user to elevate privileges via local access.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-02-02
dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-02-02
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-02-02
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-02-02
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-02-02
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-02-02
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
CVSS Score
4.8
EPSS Score
0.001
Published
2018-02-02