Security Vulnerabilities - CVEs Published In May 2017
IBM Tivoli Storage Manager 5.5, 6.1-6.4, and 7.1 stores password information in a log file that could be read by a local user when a set password command is issued. IBM X-Force ID: 118472.
CVSS Score
5.5
EPSS Score
0.001
Published
2017-05-05
IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 119515.
CVSS Score
8.6
EPSS Score
0.003
Published
2017-05-05
IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to External Service Interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X-Force ID: 119516.
CVSS Score
8.6
EPSS Score
0.009
Published
2017-05-05
IBM WebSphere Portal 8.5 and 9.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force. ID: 122592
CVSS Score
8.8
EPSS Score
0.007
Published
2017-05-05
Trend Micro OfficeScan 11.0 before SP1 CP 6325 (with Agent Module Build before 6152) and XG before CP 1352 has XSS via a crafted URI using a blocked website.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter.
CVSS Score
9.8
EPSS Score
0.102
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. courier/1000@/oauth/playground/callback.html allows XSS with a crafted URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is XSS in courier/1000@/index.html with the auth_params parameter. The device tries to use internal WAF filters to stop specific XSS Vulnerabilities. However, these can be bypassed by using some modifications to the payloads, e.g., URL encoding.
CVSS Score
6.1
EPSS Score
0.01
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-05-05
An issue was discovered on Accellion FTA devices before FTA_9_12_180. A report_error.php?year='payload SQL injection vector exists.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-05-05