Security Vulnerabilities - CVEs Published In August 2018
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device allows access to configuration files and profiles without authenticating the user.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-08-10
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-08-10
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.
CVSS Score
6.1
EPSS Score
0.001
Published
2018-08-10
NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior. The directory of the device is listed openly without authentication.
CVSS Score
7.5
EPSS Score
0.016
Published
2018-08-10
Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials for network authentication and encryption of local data at rest.
CVSS Score
7.1
EPSS Score
0.001
Published
2018-08-10
Medtronic MyCareLink Patient Monitor’s update service does not sufficiently verify the authenticity of the data uploaded. An attacker who obtains per-product credentials from the monitor and paired implantable cardiac device information can potentially upload invalid data to the Medtronic CareLink network.
CVSS Score
4.4
EPSS Score
0.0
Published
2018-08-10
PHP Scripts Mall hotel-booking-script 2.0.4 allows XSS via the First Name, Last Name, or Address field.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-08-10
PHP Scripts Mall hotel-booking-script 2.0.4 allows remote attackers to cause a denial of service via crafted JavaScript code in the First Name, Last Name, or Address field.
CVSS Score
6.5
EPSS Score
0.005
Published
2018-08-10
ASUS HG100 devices allow denial of service via an IPv4 packet flood.
CVSS Score
7.5
EPSS Score
0.128
Published
2018-08-10
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVSS Score
7.2
EPSS Score
0.041
Published
2018-08-10