Security Vulnerabilities - CVEs Published In April 2018
SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 has an invalid memory access vulnerability. An unauthenticated, remote attacker may send specially crafted packets to the affected products. Due to insufficient validation of packets, successful exploit may cause some services abnormal.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-04-11
The Themes App Honor 8 Lite Huawei mobile phones with software of versions before Prague-L31C576B172, versions before Prague-L31C530B160, versions before Prague-L31C432B180 has a man-in-the-middle (MITM) vulnerability due to the use of the insecure HTTP protocol for theme download. An attacker may exploit this vulnerability to tamper with downloaded themes.
CVSS Score
5.3
EPSS Score
0.001
Published
2018-04-11
drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables
CVSS Score
5.5
EPSS Score
0.0
Published
2018-04-11
Catfish CMS V4.7.21 allows XSS via the pinglun parameter to cat/index/index/pinglun (aka an authenticated comment).
CVSS Score
5.4
EPSS Score
0.004
Published
2018-04-11
ubiQuoss Switch VP5208A creates a bcm_password file at /cgi-bin/ with the user credentials in cleartext when a failed login attempt occurs. The file can be reached via an HTTP request. The credentials can be used to access the system via SSH (or TELNET if it is enabled).
CVSS Score
9.8
EPSS Score
0.006
Published
2018-04-11
The Near Field Communication (NFC) module in Mate 9 Huawei mobile phones with the versions before MHA-L29B 8.0.0.366(C567) has an information leak vulnerability due to insufficient validation on data transfer requests. When an affected mobile phone sends files to an attacker's mobile phone using the NFC function, the attacker can obtain arbitrary files from the mobile phone, causing information leaks.
CVSS Score
5.7
EPSS Score
0.0
Published
2018-04-11
CA Workload Automation AE before r11.3.6 SP7 allows remote attackers to a perform SQL injection via a crafted HTTP request.
CVSS Score
8.8
EPSS Score
0.024
Published
2018-04-11
CA Workload Control Center before r11.4 SP6 allows remote attackers to execute arbitrary code via a crafted HTTP request.
CVSS Score
9.8
EPSS Score
0.122
Published
2018-04-11
An exploitable OS Command Injection vulnerability exists in the Telnet, SSH, and console login functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware versions 1.4 to 1.7 (current). An attacker can inject commands via the username parameter of several services (SSH, Telnet, console), resulting in remote, unauthenticated, root-level operating system command execution.
CVSS Score
10.0
EPSS Score
0.206
Published
2018-04-11
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).
CVSS Score
5.4
EPSS Score
0.001
Published
2018-04-11