Security Vulnerabilities - CVEs Published In August 2017
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on the system by searching for common usernames.
CVSS Score
5.3
EPSS Score
0.164
Published
2017-08-28
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.
CVSS Score
6.1
EPSS Score
0.024
Published
2017-08-28
Cross-site scripting (XSS) vulnerability in the Googlemaps plugin before 3.1 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the xmlns parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-08-28
Directory traversal vulnerability in the XMLRPC interface in Red Hat Satellite 5.
CVSS Score
6.5
EPSS Score
0.007
Published
2017-08-28
Multiple insecure Temporary File vulnerabilities in 389 Administration Server before 1.1.38.
CVSS Score
4.2
EPSS Score
0.001
Published
2017-08-28
kgb-bot 1.33-2 allows remote attackers to cause a denial of service (crash).
CVSS Score
7.5
EPSS Score
0.009
Published
2017-08-28
Information disclosure vulnerability in Netatmo Indoor Module firmware 100 and earlier.
CVSS Score
7.5
EPSS Score
0.01
Published
2017-08-28
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology DiskStation (DSM) before 6.1.1-15088 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.
CVSS Score
4.9
EPSS Score
0.005
Published
2017-08-28
Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwarding.Rules in Synology Router Manager (SRM) before 1.1.4-6509 allows remote authenticated attacker to exhaust the memory resources of the machine, causing a denial of service attack.
CVSS Score
4.9
EPSS Score
0.005
Published
2017-08-28
A kernel driver, namely DLMFENC.sys, bundled with the DESLock+ client application 4.8.16 and earlier contains a locally exploitable heap based buffer overflow in the handling of an IOCTL message of type 0x0FA4204. The vulnerability is present due to the kernel driver failing to allocate sufficient memory on the kernel heap to contain a user supplied string as such the string is copied into a buffer of constant size (0x1000-bytes) and thus an overflow condition results. Access to the kernel driver is permitted through an obfuscated interface whereby bytes of user supplied message are "authenticated" via an obfuscation routine employing a linear equation.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-08-28