Security Vulnerabilities - CVEs Published In June 2018
libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.
CVSS Score
7.5
EPSS Score
0.001
Published
2018-06-06
An issue was discovered in DisplayLink Core Software Cleaner Application 8.2.1956. When the drivers are updated to a newer version, the product launches a process as SYSTEM to uninstall the old version: cl_1956.exe is run as SYSTEM on the %systemroot%\Temp folder, where any user can write a DLL (e.g., version.dll) to perform DLL Hijacking and elevate privileges to SYSTEM.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-06-05
QNAP NAS application Proxy Server through version 1.2.0 does not utilize CSRF protections.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-06-05
Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-06-05
QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to run arbitrary OS commands against the system with root privileges.
CVSS Score
9.8
EPSS Score
0.034
Published
2018-06-05
QNAP NAS application Proxy Server through version 1.2.0 does not authenticate requests properly. Successful exploitation can lead to change of the settings of Proxy Server.
CVSS Score
5.3
EPSS Score
0.002
Published
2018-06-05
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
CVSS Score
4.3
EPSS Score
0.003
Published
2018-06-05
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
CVSS Score
4.3
EPSS Score
0.006
Published
2018-06-05
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
CVSS Score
8.1
EPSS Score
0.004
Published
2018-06-05
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
CVSS Score
4.3
EPSS Score
0.009
Published
2018-06-05