Security Vulnerabilities - CVEs Published In February 2018
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4
CVSS Score
6.5
EPSS Score
0.002
Published
2018-02-09
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
CVSS Score
8.0
EPSS Score
0.009
Published
2018-02-09
In Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. Mitigation is to use 3.3.5.
CVSS Score
8.1
EPSS Score
0.011
Published
2018-02-09
The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as used in ImageMagick 7.0.7-22 Q16 and other products, allows remote attackers to cause a denial of service (stack-based buffer under-read) via a crafted bmp image.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-02-09
Cross Site Scripting (XSS) exists in the review section in PHP Scripts Mall Hot Scripts Clone Script Classified 3.1 via the title or description field.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-02-09
IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 136005.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-02-09
IBM Security Guardium Database Activity Monitor 9.0, 9.1, and 9.5 could allow a local user with low privileges to view report pages and perform some actions that only an admin should be performing, so there is risk that someone not authorized can change things that they are not suppose to. IBM X-Force ID: 137765.
CVSS Score
4.4
EPSS Score
0.0
Published
2018-02-09
IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138437.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-02-09
An issue was discovered on VOBOT CLOCK before 0.99.30 devices. An SSH server exists with a hardcoded vobot account that has root access.
CVSS Score
9.8
EPSS Score
0.01
Published
2018-02-09
An issue was discovered on VOBOT CLOCK before 0.99.30 devices. Cleartext HTTP is used to download a breakout program, and therefore man-in-the-middle attackers can execute arbitrary code by watching for a local user to launch the Breakout Easter Egg feature, and then sending a crafted HTTP response.
CVSS Score
7.5
EPSS Score
0.014
Published
2018-02-09