Security Vulnerabilities - CVEs Published In May 2018
jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-05-31
MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-05-31
i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of Service or content injection.
CVSS Score
8.2
EPSS Score
0.002
Published
2018-05-31
A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.
CVSS Score
8.6
EPSS Score
0.003
Published
2018-05-31
The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-05-31
restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified.
CVSS Score
4.9
EPSS Score
0.004
Published
2018-05-31
Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-05-31
The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.
CVSS Score
5.9
EPSS Score
0.003
Published
2018-05-31
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-05-31
In order to perform actions that require higher privileges, the Quest KACE System Management Appliance 8.0.318 relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed. A command injection vulnerability exists within this message queue which allows low-privilege users to append arbitrary commands that will be run as root.
CVSS Score
8.8
EPSS Score
0.101
Published
2018-05-31