Security Vulnerabilities - CVEs Published In March 2017
Format string vulnerability in cgiemail and cgiecho allows remote attackers to execute arbitrary code via format string specifiers in a template file.
CVSS Score
7.8
EPSS Score
0.005
Published
2017-03-03
Open redirect vulnerability in cgiemail and cgiecho allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving the (1) success or (2) failure parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-03
cgiemail and cgiecho allow remote attackers to inject HTTP headers via a newline character in the redirect location.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-03
Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities
CVSS Score
3.3
EPSS Score
0.001
Published
2017-03-03
The esets_daemon service in ESET Endpoint Antivirus for macOS before 6.4.168.0 and Endpoint Security for macOS before 6.4.168.0 does not properly verify X.509 certificates from the edf.eset.com SSL server, which allows man-in-the-middle attackers to spoof this server and provide crafted responses to license activation requests via a self-signed certificate. NOTE: this issue can be combined with CVE-2016-0718 to execute arbitrary code remotely as root.
CVSS Score
5.9
EPSS Score
0.002
Published
2017-03-02
Persistent XSS in wordpress plugin rockhoist-badges v1.2.2.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-03-02
Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-03-02
Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0.
CVSS Score
7.5
EPSS Score
0.386
Published
2017-03-02
The ConcatenateImages function in MagickWand/magick-cli.c in ImageMagick before 7.0.1-10 does not check the return value of the fputc function, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVSS Score
6.5
EPSS Score
0.007
Published
2017-03-02
The ReadGROUP4Image function in coders/tiff.c in ImageMagick does not check the return value of the fwrite function, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVSS Score
5.5
EPSS Score
0.005
Published
2017-03-02