Security Vulnerabilities - CVEs Published In September 2017
DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 allows remote attackers to cause a denial of service (invalid memory write, SEGV on unknown address 0x000000000030, and application crash) or possibly have unspecified other impact via a crafted .wav file, aka a NULL pointer dereference.
CVSS Score
7.8
EPSS Score
0.002
Published
2017-09-07
IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 129577.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-09-07
The kamcmd administrative utility and default configuration in kamailio before 4.3.0 use /tmp/kamailio_ctl.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-09-07
The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in a stack memory corruption when opening a crafted MP3 file.
CVSS Score
5.5
EPSS Score
0.002
Published
2017-09-07
The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability which results in a read access violation when opening a crafted MP3 file.
CVSS Score
5.5
EPSS Score
0.002
Published
2017-09-07
An issue was discovered on FiberHome User End Routers Bearing Model Number AN1020-25 which could allow an attacker to easily restore a router to its factory settings by simply browsing to the link http://[Default-Router-IP]/restoreinfo.cgi & execute it. Due to improper authentication on this page, the software accepts the request hence allowing attacker to reset the router to its default configurations which later could allow attacker to login to router by using default username/password.
CVSS Score
9.8
EPSS Score
0.734
Published
2017-09-07
OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact."
CVSS Score
7.8
EPSS Score
0.001
Published
2017-09-07
SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the watupro_questions parameter in a watupro_submit action to wp-admin/admin-ajax.php.
CVSS Score
9.8
EPSS Score
0.125
Published
2017-09-07
Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.02
Published
2017-09-07
Soreco Xpert.Line 3.0 allows local users to spoof users and consequently gain privileges by intercepting a Windows API call.
CVSS Score
9.8
EPSS Score
0.018
Published
2017-09-07