Security Vulnerabilities - CVEs Published In June 2016
The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 and Puppet Agent 1.3.x before 1.3.6 does not properly validate server certificates, which might allow remote attackers to spoof brokers and execute arbitrary commands via a crafted certificate.
CVSS Score
9.8
EPSS Score
0.007
Published
2016-06-10
Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveraging incorrect URL decoding.
CVSS Score
9.8
EPSS Score
0.002
Published
2016-06-10
ABB PCM600 before 2.7 improperly stores PCM600 authentication credentials, which allows local users to obtain sensitive information via unspecified vectors.
CVSS Score
3.3
EPSS Score
0.0
Published
2016-06-10
ABB PCM600 before 2.7 improperly stores OPC Server IEC61850 passwords in unspecified temporary circumstances, which allows local users to obtain sensitive information via unknown vectors.
CVSS Score
6.5
EPSS Score
0.0
Published
2016-06-10
ABB PCM600 before 2.7 improperly stores the main application password after a password change, which allows local users to obtain sensitive information via unspecified vectors.
CVSS Score
3.3
EPSS Score
0.0
Published
2016-06-10
ABB PCM600 before 2.7 uses an improper hash algorithm for the main application password, which makes it easier for local users to obtain sensitive cleartext information by leveraging read access to the ACTConfig configuration file.
CVSS Score
2.8
EPSS Score
0.001
Published
2016-06-10
KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow remote attackers to bypass intended access restrictions and read a configuration file via unspecified vectors.
CVSS Score
5.3
EPSS Score
0.002
Published
2016-06-10
Cross-site request forgery (CSRF) vulnerability on KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allows remote attackers to hijack the authentication of unspecified victims for requests that disclose the contents of a configuration file.
CVSS Score
8.8
EPSS Score
0.001
Published
2016-06-10
MEDHOST Perioperative Information Management System (aka PIMS or VPIMS) before 2015R1 has hardcoded credentials, which makes it easier for remote attackers to obtain sensitive information via direct requests to the application database server.
CVSS Score
9.8
EPSS Score
0.004
Published
2016-06-10
A vulnerability in the web application for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software fails to check the bounds of input data. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition.
CVSS Score
7.5
EPSS Score
0.047
Published
2016-06-10