Security Vulnerabilities - CVEs Published In April 2017
drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a spinlock without considering that sleeping is possible in a USB HID request callback, which allows local users to cause a denial of service (deadlock) via unspecified vectors.
CVSS Score
5.5
EPSS Score
0.001
Published
2017-04-23
The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 does not have the expected EIO error status for a zero-length report, which allows local users to have an unspecified impact via unknown vectors.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-04-23
The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted PDF document.
CVSS Score
5.5
EPSS Score
0.004
Published
2017-04-22
WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier returns different responses for valid and invalid usernames. An attacker could exploit this vulnerability to enumerate valid usernames on an affected Firebox.
CVSS Score
5.3
EPSS Score
0.003
Published
2017-04-22
WatchGuard Fireware v11.12.1 and earlier mishandles requests referring to an XML External Entity (XXE), in the XML-RPC agent. This causes the Firebox wgagent process to crash. This process crash ends all authenticated sessions to the Firebox, including management connections, and prevents new authenticated sessions until the process has recovered. The Firebox may also experience an overall degradation in performance while the wgagent process recovers. An attacker could continuously send XML-RPC requests that contain references to external entities to perform a limited Denial of Service (DoS) attack against an affected Firebox.
CVSS Score
5.3
EPSS Score
0.157
Published
2017-04-22
PoDoFo 0.9.5 allows denial of service (infinite recursion and stack consumption) via a crafted PDF file in PoDoFo::PdfParser::ReadDocumentStructure (PdfParser.cpp).
CVSS Score
5.5
EPSS Score
0.003
Published
2017-04-22
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
CVSS Score
9.8
EPSS Score
0.014
Published
2017-04-22
Craft CMS before 2.6.2974 allows XSS attacks.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-04-22
Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates.
CVSS Score
5.9
EPSS Score
0.006
Published
2017-04-21
Cybozu KUNAI for iPhone 2.0.3 through 3.1.5 and for Android 2.1.2 through 3.0.4 does not verify SSL certificates.
CVSS Score
6.8
EPSS Score
0.004
Published
2017-04-21