Security Vulnerabilities - CVEs Published In May 2018
An issue was discovered in Exiv2 0.26. readMetadata in jp2image.cpp allows remote attackers to cause a denial of service (SIGABRT) by triggering an incorrect Safe::add call.
CVSS Score
6.5
EPSS Score
0.012
Published
2018-05-12
An issue was discovered in Exiv2 0.26. The Exiv2::Internal::PngChunk::parseTXTChunk function has a heap-based buffer over-read.
CVSS Score
6.5
EPSS Score
0.018
Published
2018-05-12
An issue was discovered in YXcms 1.4.7. Cross-site request forgery (CSRF) vulnerability in protected/apps/admin/controller/adminController.php allows remote attackers to delete administrator accounts via index.php?r=admin/admin/admindel.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-05-12
An issue was discovered in SDcms v1.5. Cross-site request forgery (CSRF) vulnerability in /WWW//app/admin/controller/admincontroller.php allows remote attackers to add administrator accounts via m=admin&c=admin&a=add.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-05-12
ruibaby Halo 0.0.2 has stored XSS via the commentAuthor field to FrontCommentController.java.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-05-12
ruibaby Halo 0.0.2 has stored XSS via the loginName and loginPwd parameters in a failed login attempt to AdminController.java.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-05-12
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.
CVSS Score
9.8
EPSS Score
0.008
Published
2018-05-11
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.
CVSS Score
5.5
EPSS Score
0.035
Published
2018-05-11
An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The license key parameter of the web application is vulnerable to Cross Site Scripting; this vulnerability allows an attacker to send malicious code to another user.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-05-11
An issue was discovered on the Impinj Speedway Connect R420 RFID Reader before 2.2.2. The affected web interface is vulnerable to ClickJacking or UI Redressing: it is possible to access the web application in an iframe, and clicking on the iframe will redirect to a third-party application or perform other malicious actions.
CVSS Score
4.3
EPSS Score
0.003
Published
2018-05-11