Security Vulnerabilities - CVEs Published In June 2018
A vulnerability has been identified in SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < V5.2.3), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.4.1), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.3). The integrated configuration web server of the affected devices could allow Cross-Site Scripting (XSS) attacks if unsuspecting users are tricked into accessing a malicious link. User interaction is required for a successful exploitation. The user must be logged into the web interface in order for the exploitation to succeed. At the stage of publishing this security advisory no public exploitation is known. The vendor has confirmed the vulnerability and provides mitigations to resolve it.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-06-14
Huawei smart phones LYO-L21 with software LYO-L21C479B107, LYO-L21C479B107 have a privilege escalation vulnerability. An authenticated, local attacker can crafts malformed packets after tricking a user to install a malicious application and exploit this vulnerability when in the exception handling process. Successful exploitation may cause the attacker to obtain a higher privilege of the smart phones.
CVSS Score
7.3
EPSS Score
0.0
Published
2018-06-14
Due to insufficient parameters verification GPU driver of Mate 9 Pro Huawei smart phones with the versions before LON-AL00B 8.0.0.356(C00) has an arbitrary memory free vulnerability. An attacker can tricks a user into installing a malicious application on the smart phone, and send given parameter to driver to release special kernel memory resource. Successful exploit may result in phone crash or arbitrary code execution.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-06-14
Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerability due to insufficient validation of the received HTTP requests, a remote attacker may access the local files on the device without authentication.
CVSS Score
7.5
EPSS Score
0.097
Published
2018-06-14
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2018-06-14
An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory, aka "Microsoft Edge Information Disclosure Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-0871.
CVSS Score
4.3
EPSS Score
0.078
Published
2018-06-14
A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka "Microsoft Edge Security Feature Bypass Vulnerability." This affects Microsoft Edge.
CVSS Score
4.3
EPSS Score
0.122
Published
2018-06-14
A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8110, CVE-2018-8111.
CVSS Score
7.5
EPSS Score
0.263
Published
2018-06-14
An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory, aka "Windows GDI Information Disclosure Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
CVSS Score
5.5
EPSS Score
0.645
Published
2018-06-14
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8267.
CVSS Score
7.5
EPSS Score
0.274
Published
2018-06-14