Security Vulnerabilities - CVEs Published In September 2018
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.
CVSS Score
7.2
EPSS Score
0.004
Published
2018-09-17
admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.
CVSS Score
7.2
EPSS Score
0.004
Published
2018-09-17
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.
CVSS Score
7.2
EPSS Score
0.004
Published
2018-09-17
admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field.
CVSS Score
7.2
EPSS Score
0.004
Published
2018-09-17
Simple POS 4.0.24 allows SQL Injection via a products/get_products/ columns[0][search][value] parameter in the management panel, as demonstrated by products/get_products/1.
CVSS Score
9.8
EPSS Score
0.003
Published
2018-09-17
App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploadify.swf in EasyCMS 1.5 has XSS via the uploadifyID or movieName parameter, a related issue to CVE-2018-9173.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-17
CScms 4.1 allows arbitrary directory deletion via a dir=..\\ substring to plugins\sys\admin\Plugins.php.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-09-17
CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.
CVSS Score
9.8
EPSS Score
0.041
Published
2018-09-17
blocking_request.cgi on ASUS GT-AC5300 devices through 3.0.0.4.384_32738 allows remote attackers to cause a denial of service (NULL pointer dereference and device crash) via a request that lacks a timestap parameter.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-09-17
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
CVSS Score
5.4
EPSS Score
0.014
Published
2018-09-17