Security Vulnerabilities - CVEs Published In April 2018
Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.
CVSS Score
6.5
EPSS Score
0.004
Published
2018-04-10
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display url of a configured application link.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-04-10
The reset-password feature in MetInfo 6.0 allows remote attackers to change arbitrary passwords via vectors involving a Host HTTP header that is modified to specify a web server under the attacker's control.
CVSS Score
8.8
EPSS Score
0.004
Published
2018-04-10
An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-04-10
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-04-10
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-04-10
An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-04-10
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
CVSS Score
8.8
EPSS Score
0.003
Published
2018-04-10
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-04-10
Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 allows remote attackers to inject arbitrary web script or HTML via the webname or weburl parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-04-10