Security Vulnerabilities - CVEs Published In August 2018
IBM WebSphere MQ 8.0.0.2 through 8.0.0.8 and 9.0.0.0 through 9.0.0.3 could allow users to have more authority than they should have if an MQ administrator creates an invalid user group name. IBM X-Force ID: 142888.
CVSS Score
3.1
EPSS Score
0.003
Published
2018-08-06
It was noticed an XSS in certain 404 pages that could be exploited to perform an XSS attack. Chrome will detect this as a reflected XSS attempt and prevent the page from loading. Firefox and other browsers don't, and are vulnerable to this attack. Mitigation: The fix for this is to upgrade to Apache Airflow 1.9.0 or above.
CVSS Score
6.1
EPSS Score
0.023
Published
2018-08-06
An issue was discovered in WeaselCMS v0.3.5. CSRF can update the website settings (such as the theme, title, and description) via index.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-08-05
An issue was discovered in WeaselCMS v0.3.5. CSRF can create new pages via an index.php?b=pages&a=new URI.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-08-05
The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath function in certain environments such as FreeBSD libc, which might allow attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site.
CVSS Score
9.8
EPSS Score
0.005
Published
2018-08-05
PHPCMS 9 allows remote attackers to cause a denial of service (resource consumption) via large font_size, height, and width parameters in an api.php?op=checkcode request.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-08-05
Harmonic NSG 9000 devices allow remote authenticated users to read the webapp.py source code via a direct request for the /webapp.py URI.
CVSS Score
6.5
EPSS Score
0.002
Published
2018-08-05
Harmonic NSG 9000 devices allow remote authenticated users to conduct directory traversal attacks, as demonstrated by "POST /PY/EMULATION_GET_FILE" or "POST /PY/EMULATION_EXPORT" with FileName=../../../passwd in the POST data.
CVSS Score
8.8
EPSS Score
0.004
Published
2018-08-05
Harmonic NSG 9000 devices have a default password of nsgadmin for the admin account, a default password of nsgguest for the guest account, and a default password of nsgconfig for the config account.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-08-05
An issue has been found in jpeg_encoder through 2015-11-27. It is a SEGV in the function readFromBMP in jpeg_encoder.cpp. The signal is caused by an out-of-bounds write.
CVSS Score
7.8
EPSS Score
0.002
Published
2018-08-05