Security Vulnerabilities - CVEs Published In March 2018
In the WebRTC component in Opera 51.0.2830.55, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.
CVSS Score
4.3
EPSS Score
0.005
Published
2018-03-28
Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
CVSS Score
5.7
EPSS Score
0.001
Published
2018-03-28
An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based SQL injection vulnerability in the "match" parameter allows remote authenticated attackers to execute arbitrary SQL commands. It is possible to upgrade access to full server compromise via xp_cmdshell. In some cases, the authentication requirement for the attack can be met by sending the default admin credentials.
CVSS Score
7.5
EPSS Score
0.108
Published
2018-03-28
screenresolution-mechanism in screen-resolution-extra 0.17.2 does not properly use the PolicyKit D-Bus API, which allows local users to bypass intended access restrictions by leveraging a race condition via a setuid or pkexec process that is mishandled in a PolicyKitService._check_permission call.
CVSS Score
7.0
EPSS Score
0.0
Published
2018-03-28
libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent.
CVSS Score
7.5
EPSS Score
0.008
Published
2018-03-28
An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement.
CVSS Score
8.8
EPSS Score
0.116
Published
2018-03-28
An information leak exists in Wanscam's HW0021 network camera that allows an unauthenticated remote attacker to recover the administrator username and password via an ONVIF GetSnapshotUri request.
CVSS Score
9.8
EPSS Score
0.01
Published
2018-03-28
In Philips Alice 6 System version R8.0.2 or prior, when an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or the ability to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.007
Published
2018-03-28
In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.
CVSS Score
9.8
EPSS Score
0.001
Published
2018-03-28
The NetIQ Identity Manager user console, in versions prior to 4.7, is susceptible to URL redirection.
CVSS Score
2.1
EPSS Score
0.002
Published
2018-03-28