Security Vulnerabilities - CVEs Published In April 2017
SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2356504.
CVSS Score
8.8
EPSS Score
0.008
Published
2017-04-14
trollepierre/tdm before 2017-04-13 is vulnerable to a reflected XSS in tdm-master/webhook.php (challenge parameter).
CVSS Score
6.1
EPSS Score
0.002
Published
2017-04-14
In wallpaper.c in feh before v2.18.3, if a malicious client pretends to be the E17 window manager, it is possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free.
CVSS Score
9.8
EPSS Score
0.007
Published
2017-04-14
CSRF vulnerability in flatCore version 1.4.6 allows remote attackers to modify CMS configurations.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-04-14
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read and write to the users database.
CVSS Score
9.8
EPSS Score
0.002
Published
2017-04-14
SQL Injection vulnerability in flatCore version 1.4.6 allows an attacker to read the content database.
CVSS Score
7.5
EPSS Score
0.002
Published
2017-04-14
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
CVSS Score
7.8
EPSS Score
0.033
Published
2017-04-14
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000.
CVSS Score
7.3
EPSS Score
0.619
Published
2017-04-14
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database.
CVSS Score
7.5
EPSS Score
0.01
Published
2017-04-14
The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories.
CVSS Score
3.3
EPSS Score
0.0
Published
2017-04-14