Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In September 2018
CVE-2018-17077
An issue was discovered in yiqicms through 2016-11-20. There is stored XSS in comment.php because a length limit can be bypassed.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-09-16
CVE-2018-16554
The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling.
CVSS Score
7.8
EPSS Score
0.003
Published
2018-09-16
CVE-2018-17072
JSON++ through 2016-06-15 has a buffer over-read in yyparse() in json.y.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-09-16
CVE-2018-17073
wernsey/bitmap before 2018-08-18 allows a NULL pointer dereference via a 4-bit image.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-09-16
CVE-2018-17074
The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-09-16
CVE-2018-17075
The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit.
CVSS Score
7.5
EPSS Score
0.007
Published
2018-09-16
CVE-2018-17069
An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new content via ?q=node%2Fadd%2Farticle&render=overlay&render=overlay.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-09-15
CVE-2018-17070
An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the website settings via ?q=admin%2Fconfig%2Fsystem%2Fsite-information&render=overlay&render=overlay.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-09-15
CVE-2018-17063
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/NTPSyncWithHost route. This could lead to command injection via shell metacharacters.
CVSS Score
9.8
EPSS Score
0.145
Published
2018-09-15
CVE-2018-17064
An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/sylogapply route. This could lead to command injection via the syslogIp parameter after /goform/clearlog is invoked.
CVSS Score
9.8
EPSS Score
0.145
Published
2018-09-15


Products
Pricing
Contact Us

Shodan ® - All rights reserved