Security Vulnerabilities - CVEs Published In March 2017
An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26. There is a potential to subject the UAA OAuth clients to a denial of service attack.
CVSS Score
7.5
EPSS Score
0.005
Published
2017-03-10
Remote Code Execution was discovered in FTPShell Client 6.53. By default, the client sends a PWD command to the FTP server it is connecting to; however, it doesn't check the response's length, leading to a buffer overflow situation.
CVSS Score
9.8
EPSS Score
0.275
Published
2017-03-10
A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remote attackers to inject arbitrary JavaScript via the 'action_type' parameter.
CVSS Score
6.1
EPSS Score
0.008
Published
2017-03-10
There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-09
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).
CVSS Score
9.8
EPSS Score
0.837
Published
2017-03-09
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to a NUL-terminated directory traversal attack allowing an unauthenticated attacker to access system files readable by the web server user (by using the viewAppletFsa.cgi seqID parameter).
CVSS Score
7.5
EPSS Score
0.759
Published
2017-03-09
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affected by plaintext password storage (the /home/dna/spool/.pfile file).
CVSS Score
8.1
EPSS Score
0.072
Published
2017-03-09
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to session hijacking by guessing the UID parameter.
CVSS Score
8.8
EPSS Score
0.045
Published
2017-03-09
EpicEditor through 0.2.3 has Cross-Site Scripting because of an insecure default marked.js configuration. An example attack vector is a crafted IMG element in an HTML document.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-03-09
An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries.
CVSS Score
6.3
EPSS Score
0.0
Published
2017-03-09