Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In February 2018
trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php.
CVSS Score
8.8
EPSS Score
0.914
Published
2018-02-16
trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user/includes/language/langChooser.php.
CVSS Score
5.4
EPSS Score
0.003
Published
2018-02-16
trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php.
CVSS Score
6.5
EPSS Score
0.909
Published
2018-02-16
F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors involving the Tags parameter in the JSON request body in an outbound request for the /api/latest/vulnerabilityscans/tags/batch resource, aka a "suggested metadata tags for assets" issue.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-02-16
F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated Redirect via the ReturnUrl parameter that triggers upon a user login.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-02-16
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
CVSS Score
8.8
EPSS Score
0.002
Published
2018-02-16
An improper authorization vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to have Jenkins submit HTTP GET requests and get limited information about the response.
CVSS Score
5.3
EPSS Score
0.003
Published
2018-02-16
An improper input validation vulnerability exists in Jenkins versions 2.106 and earlier, and LTS 2.89.3 and earlier, that allows an attacker to access plugin resource files in the META-INF and WEB-INF directories that should not be accessible, if the Jenkins home directory is on a case-insensitive file system.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-02-16
An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A remote, unauthenticated attacker can gain remote code execution on the device with a crafted password parameter for the COOKIE header.
CVSS Score
9.8
EPSS Score
0.675
Published
2018-02-15
Ivanti Endpoint Security (formerly HEAT Endpoint Management and Security Suite) 8.5 Update 1 and earlier allows an authenticated user with low privileges and access to the local network to bypass application whitelisting when using the Application Control module on Ivanti Endpoint Security in lockdown mode.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-02-15


Contact Us

Shodan ® - All rights reserved