Security Vulnerabilities - CVEs Published In June 2018
jdf-sass is a fork from node-sass, jdf use only. jdf-sass downloads executable resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested file with an attacker controlled file if the attacker is on the network or positioned in between the user and the remote server.
CVSS Score
8.1
EPSS Score
0.008
Published
2018-06-01
imageoptim is a Node.js wrapper for some images compression algorithms. imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.
CVSS Score
8.1
EPSS Score
0.008
Published
2018-06-01
cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks.
CVSS Score
5.9
EPSS Score
0.001
Published
2018-06-01
arrayfire-js is a module for ArrayFire for the Node.js platform. arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
CVSS Score
7.5
EPSS Score
0.007
Published
2018-06-01
MODX Revolution 2.6.3 has XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-06-01
AXON PBX 2.02 contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability exists because a DLL file is loaded by 'pbxsetup.exe' improperly.
CVSS Score
7.8
EPSS Score
0.014
Published
2018-06-01
There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON->Auto-Dialer->Agents->Name" field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable application.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-06-01
Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html.
CVSS Score
4.8
EPSS Score
0.004
Published
2018-06-01
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-06-01
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-06-01