Security Vulnerabilities - CVEs Published In September 2018
SeaCMS 6.64 allows SQL Injection via the upload/admin/admin_video.php order parameter.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-09-21
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
CVSS Score
6.1
EPSS Score
0.067
Published
2018-09-21
In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-09-21
On the RICOH SP 4510SF printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-09-21
On the RICOH MP 2001 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-09-21
In LimeSurvey 3.14.7, HTML Injection and Stored XSS have been discovered in the appendix via the surveyls_title parameter to /index.php?r=admin/survey/sa/insert.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-21
The mintToken function of a smart contract implementation for PolyAi (AI), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-09-21
An issue was discovered in HMRServer.js in Parcel parcel-bundler. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1 connection (with a random TCP port number) from any origin. The random port number can be found by connecting to http://127.0.0.1 and reading the "new WebSocket" line in the source code.
CVSS Score
7.5
EPSS Score
0.001
Published
2018-09-21
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.6. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws://127.0.0.1:8080/ connection from any origin.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-09-21
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.
CVSS Score
8.3
EPSS Score
0.001
Published
2018-09-21