Security Vulnerabilities - CVEs Published In February 2018
ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection via the imageId parameter in a facetag.changeTag or facetag.listTags action.
CVSS Score
9.8
EPSS Score
0.016
Published
2018-02-26
The f2fs implementation in the Linux kernel before 4.14 mishandles reference counts associated with f2fs_wait_discard_bios calls, which allows local users to cause a denial of service (BUG), as demonstrated by fstrim.
CVSS Score
5.5
EPSS Score
0.0
Published
2018-02-26
YzmCMS 3.6 allows remote attackers to discover the full path via a direct request to application/install/templates/s1.php.
CVSS Score
5.3
EPSS Score
0.004
Published
2018-02-26
When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-02-26
An issue was discovered in PureVPN through 5.19.4.0 on Windows. The client installation grants the Everyone group Full Control permission to the installation directory. In addition, the PureVPNService.exe service, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from the directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-02-26
The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-02-25
controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site Scripting (XSS) via the id or lid parameter in a c=linkage,m=import request to admin.php, because the xss_clean protection mechanism is defeated by crafted input that lacks a '<' or '>' character.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-02-25
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
CVSS Score
7.5
EPSS Score
0.112
Published
2018-02-25
An issue was discovered in ImageMagick 7.0.7-22 Q16. The IsWEBPImageLossless function in coders/webp.c allows attackers to cause a denial of service (segmentation violation) via a crafted file.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-02-25
KingView 7.5SP1 has an integer overflow during stgopenstorage API read operations.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-02-25