Security Vulnerabilities - CVEs Published In September 2017
Cross-site scripting (XSS) vulnerability in Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.x before 4.3.7, and 5.0rc1.
CVSS Score
6.1
EPSS Score
0.005
Published
2017-09-25
Kupu 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, and 4.2.0 through 4.2.7 allows remote authenticated users to edit Kupu settings.
CVSS Score
6.8
EPSS Score
0.003
Published
2017-09-25
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-09-25
Server Side Request Forgery vulnerability in Vebto Pixie Image Editor 1.4 and 1.7 allows remote attackers to disclose information or execute arbitrary code via the url parameter to Launderer.php.
CVSS Score
10.0
EPSS Score
0.018
Published
2017-09-25
SQL injection vulnerability in the Responsive Image Gallery plugin before 1.2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "id" parameter in an add_edit_theme task in the wpdevart_gallery_themes page to wp-admin/admin.php.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-09-25
The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-09-25
IBM WebSphere MQ 8.0 could allow an authenticated user to cause a premature termination of a client application thread which could potentially cause denial of service. IBM X-Force ID: 123914.
CVSS Score
6.5
EPSS Score
0.004
Published
2017-09-25
IBM Business Process Manager 7.5, 8.0, and 8.5 temporarily stores files in a temporary folder during offline installs which could be read by a local user within a short timespan. IBM X-Force ID: 126461.
CVSS Score
2.5
EPSS Score
0.0
Published
2017-09-25
IBM Security Identity Manager Adapters 6.0 and 7.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 126801.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-09-25
IBM Business Process Manager 8.5.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 127477.
CVSS Score
5.4
EPSS Score
0.003
Published
2017-09-25