Security Vulnerabilities - CVEs Published In July 2018
Insecure access control in freeSSHd version 1.3.1 allows attackers to obtain the privileges of the freesshd.exe process by leveraging the ability to login to an unprivileged account on the server.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-07-10
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
CVSS Score
9.8
EPSS Score
0.028
Published
2018-07-10
The review attachment resource in Atlassian Fisheye and Crucible before version 4.5.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in attached files.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-07-10
The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.
CVSS Score
4.7
EPSS Score
0.002
Published
2018-07-10
The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.
CVSS Score
9.8
EPSS Score
0.118
Published
2018-07-10
The XMLUI feature in DSpace before 3.6, 4.x before 4.5, and 5.x before 5.5 allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-07-10
An wrong logical check identified in the transferFrom function of a smart contract implementation for RemiCoin (RMC), an Ethereum ERC20 token, allows the attacker to steal tokens or conduct resultant integer underflow attacks.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-07-10
The HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 allows an attacker to conduct Access Control attacks via the /FlexiCapture12/Login/Server/SevaUserProfile FlexiCaptureTmsSts2 parameter.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-07-09
Multiple Cross Site Request Forgery (CSRF) vulnerabilities in the HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 exist in Web Verification, Web Scanning, Web Capture, Monitoring and Administration, and Login.
CVSS Score
8.8
EPSS Score
0.002
Published
2018-07-09
A heap-based buffer overflow exists in stbi__bmp_load_cont in stb_image.h in catimg 2.4.0.
CVSS Score
9.8
EPSS Score
0.005
Published
2018-07-09