Security Vulnerabilities - CVEs Published In March 2018
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name .
CVSS Score
5.4
EPSS Score
0.002
Published
2018-03-13
ClamAV version version 0.99.3 contains a Out of bounds heap memory read vulnerability in XAR parser, function xar_hash_check() that can result in Leaking of memory, may help in developing exploit chains.. This attack appear to be exploitable via The victim must scan a crafted XAR file. This vulnerability appears to have been fixed in after commit d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6.
CVSS Score
5.5
EPSS Score
0.009
Published
2018-03-13
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later.
CVSS Score
8.8
EPSS Score
0.003
Published
2018-03-13
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-03-13
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-03-13
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.
CVSS Score
7.4
EPSS Score
0.003
Published
2018-03-13
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-03-13
KadNode version version 2.2.0 contains a Buffer Overflow vulnerability in Arguments when starting up the binary that can result in Control of program execution flow, leading to remote code execution.
CVSS Score
8.8
EPSS Score
0.026
Published
2018-03-13
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-03-13
CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the cryptocurrency wallet if an attacker can trick an application such as a web browser into connecting and sending a command for example. This attack appears to be exploitable via a victim visiting a webpage hosting malicious content that trigger such behavior.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-03-13