Security Vulnerabilities - CVEs Published In September 2017
Cross-site scripting (XSS) vulnerability in the Floating Social Bar plugin before 1.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via vectors related to original service order.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-09-19
vBulletin 5.x through 5.1.6 allows remote authenticated users to bypass authorization checks and inject private messages into conversations via vectors related to an input validation failure.
CVSS Score
6.5
EPSS Score
0.002
Published
2017-09-19
The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures.
CVSS Score
5.9
EPSS Score
0.092
Published
2017-09-19
Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities."
CVSS Score
9.8
EPSS Score
0.062
Published
2017-09-19
Multiple cross-site scripting (XSS) vulnerabilities in Pydio (formerly AjaXplorer) before 6.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Pydio XSS Vulnerabilities."
CVSS Score
6.1
EPSS Score
0.002
Published
2017-09-19
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.007
Published
2017-09-19
Multiple cross-site request forgery (CSRF) vulnerabilities in the optionsPageRequest function in admin.php in WP Fastest Cache plugin before 0.8.3.5 for WordPress allow remote attackers to hijack the authentication of unspecified victims for requests that call the (1) saveOption, (2) deleteCache, (3) deleteCssAndJsCache, or (4) addCacheTimeout method via the wpFastestCachePage parameter in the WpFastestCacheOptions/ page.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-09-19
In the medialibrary component in QNAP NAS 4.3.3.0229, an un-authenticated, remote attacker can execute arbitrary system commands as the root user of the NAS application.
CVSS Score
9.8
EPSS Score
0.012
Published
2017-09-19
The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.
CVSS Score
7.2
EPSS Score
0.022
Published
2017-09-19
The ZXR10 1800-2S before v3.00.40 incorrectly restricts access to a resource from an unauthorized actor, resulting in ordinary users being able to download configuration files to steal information like administrator accounts and passwords.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-09-19