Security Vulnerabilities - CVEs Published In May 2018
An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. A specially crafted web request can cause the retrieval of arbitrary files or denial of service. An authenticated attacker can send a crafted web request to trigger this vulnerability.
CVSS Score
8.1
EPSS Score
0.004
Published
2018-05-15
dg-user/?controller=users&action=add in doorGets 7.0 has CSRF that results in adding an administrator account.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-05-15
e107 2.1.7 has CSRF resulting in arbitrary user deletion.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-05-15
kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
CVSS Score
8.0
EPSS Score
0.0
Published
2018-05-15
There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-05-15
Bounds check vulnerability in User Mode Driver in Intel Graphics Driver 15.40.x.4 and 21.20.x.x allows unprivileged user to cause a denial of service via local access.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-05-15
Parameter corruption in NDIS filter driver in Intel Online Connect Access 1.9.22.0 allows an attacker to cause a denial of service via local access.
CVSS Score
5.5
EPSS Score
0.001
Published
2018-05-15
Buffer overflow in Intel system Configuration utilities selview.exe and syscfg.exe before version 14 build 11 allows a local user to crash these services potentially resulting in a denial of service.
CVSS Score
5.5
EPSS Score
0.0
Published
2018-05-15
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
CVSS Score
8.8
EPSS Score
0.006
Published
2018-05-15
Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack.
CVSS Score
5.3
EPSS Score
0.0
Published
2018-05-15