Security Vulnerabilities - CVEs Published In October 2017
The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-10-23
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path.
CVSS Score
7.5
EPSS Score
0.552
Published
2017-10-23
Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist.
CVSS Score
8.8
EPSS Score
0.004
Published
2017-10-23
Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax WebMail interface in AXIGEN Mail Server before 9.0 allows remote attackers to inject arbitrary web script or HTML via an email attachment.
CVSS Score
5.4
EPSS Score
0.001
Published
2017-10-23
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php.
CVSS Score
6.1
EPSS Score
0.013
Published
2017-10-23
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
CVSS Score
7.2
EPSS Score
0.095
Published
2017-10-23
The parse function in MSA vot.Ar 3.1 does not check whether a candidate receives more than one vote, which allows physically proximate attackers to cast multiple votes for a candidate via a crafted RFID ballot tag.
CVSS Score
4.6
EPSS Score
0.001
Published
2017-10-23
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated users to execute arbitrary code via the (1) ping_addr parameter to PingIframeRpm.htm or (2) dnsserver2 parameter to WanStaticIpV6CfgRpm.htm.
CVSS Score
8.8
EPSS Score
0.729
Published
2017-10-23
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-10-23
In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a crafted tag.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-10-23