Security Vulnerabilities - CVEs Published In June 2017
In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through 3.21.2, WS100 devices through 3.30.5, EC150 devices through 1.40.0, WS200 devices through 3.30.4, EC250 devices through 1.40.0, and other products, an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique, as demonstrated by reading the password file, or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file.
CVSS Score
9.1
EPSS Score
0.095
Published
2017-06-16
QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password function.
CVSS Score
7.5
EPSS Score
0.003
Published
2017-06-15
This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. QNAP have already fixed the issue in QTS 4.2.6 build 20170517, QTS 4.3.3.0174 build 20170503 and later versions.
CVSS Score
10.0
EPSS Score
0.029
Published
2017-06-15
Windows RPC with Routing and Remote Access enabled in Windows XP and Windows Server 2003 allows an attacker to execute code on a targeted RPC server which has Routing and Remote Access enabled via a specially crafted application, aka "Windows RPC Remote Code Execution Vulnerability."
CVSS Score
7.8
EPSS Score
0.125
Published
2017-06-15
Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows olecnv32.dll Remote Code Execution Vulnerability."
CVSS Score
7.8
EPSS Score
0.744
Published
2017-06-15
Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fields Search plugin 0.3.28 for WordPress allows remote attackers to inject arbitrary JavaScript via the cs-all-0 parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-06-15
On D-Link DIR-605L devices, firmware before 2.08UIBetaB01.bin allows an unauthenticated GET request to trigger a reboot.
CVSS Score
7.5
EPSS Score
0.309
Published
2017-06-15
Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors before b1705.1234962 allows remote authenticated users to inject arbitrary web script or HTML via the file upload functionality.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-06-15
In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an administrator account (via the index.php/user/new URI) or change its settings (via the index.php/user/1 URI), including its password.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-06-15
In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on index.php/content/text/1?return_url=[XSS] exploitable as a regular or admin user.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-06-15