Security Vulnerabilities - CVEs Published In September 2017
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.
CVSS Score
7.5
EPSS Score
0.013
Published
2017-09-06
Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMCP request packet with no address.
CVSS Score
5.9
EPSS Score
0.006
Published
2017-09-06
The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
CVSS Score
7.5
EPSS Score
0.011
Published
2017-09-06
svn-workbench 1.6.2 and earlier on a system with xeyes installed allows local users to execute arbitrary commands by using the "Command Shell" menu item while in the directory trunk/$(xeyes).
CVSS Score
8.8
EPSS Score
0.017
Published
2017-09-06
The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows local users to execute arbitrary code by injecting Javascript into the window source to create a button that spawns a command shell.
CVSS Score
7.8
EPSS Score
0.001
Published
2017-09-06
Honda Moto LINC 1.6.1 does not verify SSL certificates.
CVSS Score
5.9
EPSS Score
0.003
Published
2017-09-06
XML external entity (XXE) vulnerability in bkr/server/jobs.py in Beaker before 20.1 allows remote authenticated users to obtain sensitive information via submitting job XML to the server containing entity references which reference files from the Beaker server's file system.
CVSS Score
4.3
EPSS Score
0.003
Published
2017-09-06
The search bar code in bkr/server/widgets.py in Beaker before 20.1 does not escape </script> tags in string literals when producing JSON.
CVSS Score
4.8
EPSS Score
0.005
Published
2017-09-06
Cross-site scripting (XSS) vulnerability in the edit comment dialog in bkr/server/widgets.py in Beaker 20.1 allows remote authenticated users to inject arbitrary web script or HTML via writing a crafted comment on an acked or nacked canceled job.
CVSS Score
5.4
EPSS Score
0.004
Published
2017-09-06
The admin pages for power types and key types in Beaker before 20.1 do not have any access controls, which allows remote authenticated users to modify power types and key types via navigating to $BEAKER/powertypes and $BEAKER/keytypes respectively.
CVSS Score
4.3
EPSS Score
0.005
Published
2017-09-06