Security Vulnerabilities - CVEs Published In June 2018
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
CVSS Score
6.1
EPSS Score
0.015
Published
2018-06-29
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring.
CVSS Score
7.5
EPSS Score
0.048
Published
2018-06-29
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
CVSS Score
6.1
EPSS Score
0.73
Published
2018-06-29
Incorrect Access Control in AgentTrayIconServlet in Zoho ManageEngine Desktop Central 10.0.255 allows attackers to delete certain files on the web server without login by sending a specially crafted request to the server with a computerName=../ substring to the /agenttrayicon URI.
CVSS Score
7.5
EPSS Score
0.123
Published
2018-06-29
EasyCMS 1.3 has CSRF via the index.php?s=/admin/user/delAll URI to delete users.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-06-29
An issue was discovered in OpenTSDB 2.3.0. Many parameters to the /q URI can execute commands, including o, key, style, and yrange and y2range and their JSON input.
CVSS Score
9.8
EPSS Score
0.007
Published
2018-06-29
An issue was discovered in OpenTSDB 2.3.0. There is XSS in parameter 'json' to the /q URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-06-29
Invalid memory read in the PoDoFo::PdfVariant::DelayedLoad() function in PdfVariant.h in PoDoFo 0.9.6-rc1 allows remote attackers to have denial-of-service impact via a crafted file.
CVSS Score
5.5
EPSS Score
0.004
Published
2018-06-29
A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a denial-of-service via a crafted pdf file.
CVSS Score
7.8
EPSS Score
0.005
Published
2018-06-29
Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" credentials.
CVSS Score
9.8
EPSS Score
0.051
Published
2018-06-29