Security Vulnerabilities - CVEs Published In September 2018
The installer for the Alcatel OSPREY3_MINI Modem component on EE EE40VB 4G mobile broadband modems with firmware before EE40_00_02.00_45 sets weak permissions (Everyone:Full Control) for the "Web Connecton\EE40" and "Web Connecton\EE40\BackgroundService" directories, which allows local users to gain privileges, as demonstrated by inserting a Trojan horse ServiceManager.exe file into the "Web Connecton\EE40\BackgroundService" directory.
CVSS Score
7.8
EPSS Score
0.01
Published
2018-09-26
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
CVSS Score
9.8
EPSS Score
0.196
Published
2018-09-26
An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to its passing user input from the $_POST parameters "ifdescr" and "ipv" to a shell without escaping the contents of the variables. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP.
CVSS Score
8.8
EPSS Score
0.135
Published
2018-09-26
Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers might use this for privilege escalation and other unspecified attacks. NOTE: this would affect non-SUSE users who took useradd.c code from a 2014-04-02 upstream pull request; however, no non-SUSE distribution is known to be affected.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-09-26
SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter.
CVSS Score
7.5
EPSS Score
0.016
Published
2018-09-26
Horus CMS allows SQL Injection, as demonstrated by a request to the /busca or /home URI.
CVSS Score
9.8
EPSS Score
0.002
Published
2018-09-26
In ThinkPHP 5.1.24, the inner function delete can be used for SQL injection when its WHERE condition's value can be controlled by a user's request.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-09-26
In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data after the encoded algorithm OID during PKCS#1 v1.5 signature verification. Similar to the flaw in the same version of strongSwan regarding digestAlgorithm.parameters, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication.
CVSS Score
7.5
EPSS Score
0.012
Published
2018-09-26
In verify_emsa_pkcs1_signature() in gmp_rsa_public_key.c in the gmp plugin in strongSwan 4.x and 5.x before 5.7.0, the RSA implementation based on GMP does not reject excess data in the digestAlgorithm.parameters field during PKCS#1 v1.5 signature verification. Consequently, a remote attacker can forge signatures when small public exponents are being used, which could lead to impersonation when only an RSA signature is used for IKEv2 authentication. This is a variant of CVE-2006-4790 and CVE-2014-1568.
CVSS Score
7.5
EPSS Score
0.012
Published
2018-09-26
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.
CVSS Score
8.1
EPSS Score
0.024
Published
2018-09-26