Security Vulnerabilities - CVEs Published In August 2018
Inappropriate implementation in V8 WebAssembly JS bindings in Google Chrome prior to 63.0.3239.108 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
CVSS Score
6.1
EPSS Score
0.008
Published
2018-08-28
An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy call overflows the destination buffer, which has a size of 136 bytes. An attacker can send an arbitrarily long 'directory' value in order to exploit this vulnerability. An attacker can send an HTTP request to trigger this vulnerability.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-08-28
Infoblox NetMRI 7.1.1 has Reflected Cross-Site Scripting via the /api/docs/index.php query parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-08-28
An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 Firmware version 0.20.17. The strncpy call overflows the destination buffer, which has a size of 52 bytes. An attacker can send an arbitrarily long 'endTime' value in order to exploit this vulnerability. An attacker can send an HTTP request to trigger this vulnerability.
CVSS Score
9.9
EPSS Score
0.002
Published
2018-08-28
An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. With the implementation of the on_body callback, defined by sub_41734, an attacker can send an HTTP request to trigger this vulnerability.
CVSS Score
9.1
EPSS Score
0.004
Published
2018-08-28
RICOH MP C4504ex devices allow HTML Injection via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
CVSS Score
8.8
EPSS Score
0.003
Published
2018-08-28
e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-08-28
Zoho ManageEngine ADManager Plus 6.5.7 allows HTML Injection on the "AD Delegation" "Help Desk Technicians" screen.
CVSS Score
6.1
EPSS Score
0.015
Published
2018-08-28
Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.
CVSS Score
6.1
EPSS Score
0.01
Published
2018-08-28
A SQL Injection issue was discovered in Sentrifugo 3.2 via the deptid parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-08-28