Security Vulnerabilities - CVEs Published In May 2018
Cross-site request forgery (CSRF) vulnerability in ManageIQ Enterprise Virtualization Manager (EVM) allows remote attackers to hijack the authentication of users for requests that have unspecified impact via unknown vectors.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-05-01
Red Hat CloudForms 2 Management Engine (CFME) allows remote attackers to conduct session tampering attacks by leveraging use of a static secret_token.rb secret.
CVSS Score
7.5
EPSS Score
0.0
Published
2018-05-01
Katello allows remote authenticated users to call the "system remove_deletion" CLI command via vectors related to "remove system" permissions.
CVSS Score
4.3
EPSS Score
0.001
Published
2018-05-01
Automatic Bug Reporting Tool (ABRT) before 2.1.6 allows local users to obtain sensitive information about arbitrary files via vectors related to sha1sums.
CVSS Score
3.3
EPSS Score
0.0
Published
2018-05-01
IBM Sterling Connect:Direct for OpenVMS 3.4.00, 3.4.01, 3.5.00, 3.6.0, and 3.6.0.1 allow remote attackers to have unspecified impact by leveraging failure to reject client requests for an unencrypted session when used as the server in a TCP/IP session and configured for SSL encryption with the client. IBM X-Force ID: 86138.
CVSS Score
7.3
EPSS Score
0.001
Published
2018-05-01
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x before 7.2.1.5 and 7.2.x before 7.2.2.0 on Unix use weak permissions (755) for unspecified configuration and log files, which allows local users to obtain sensitive information by reading the files. IBM X-Force ID: 86176.
CVSS Score
5.5
EPSS Score
0.0
Published
2018-05-01
Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
CVSS Score
4.6
EPSS Score
0.001
Published
2018-05-01
Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
CVSS Score
4.6
EPSS Score
0.001
Published
2018-05-01
The GridServer Broker, GridServer Driver, and GridServer Engine components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities related to both the improper use of encryption mechanisms and the use of weak ciphers. A malicious actor could theoretically compromise the traffic between any of the components. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.
CVSS Score
6.8
EPSS Score
0.0
Published
2018-05-01
The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.
CVSS Score
6.3
EPSS Score
0.002
Published
2018-05-01