Security Vulnerabilities - CVEs Published In October 2017
Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to hijack sessions by determining SessionID values.
CVSS Score
8.1
EPSS Score
0.005
Published
2017-10-23
In Suricata before 4.x, it was possible to trigger lots of redundant checks on the content of crafted network traffic with a certain signature, because of DetectEngineContentInspection in detect-engine-content-inspection.c. The search engine doesn't stop when it should after no match is found; instead, it stops only upon reaching inspection-recursion-limit (3000 by default).
CVSS Score
7.5
EPSS Score
0.005
Published
2017-10-23
SQL Injection exists in the E-Sic 1.0 password reset parameter (aka the cpfcnpj parameter to the /reset URI).
CVSS Score
8.8
EPSS Score
0.003
Published
2017-10-23
An authentication bypass exists in the E-Sic 1.0 /index (aka login) URI via '=''or' values for the username and password.
CVSS Score
9.8
EPSS Score
0.038
Published
2017-10-23
XSS exists in the E-Sic 1.0 /cadastro/index.php URI (aka the requester's registration area) via the nome parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-10-23
SQL Injection exists in E-Sic 1.0 via the f parameter to esiclivre/restrito/inc/buscacep.php (aka the zip code search script).
CVSS Score
9.8
EPSS Score
0.002
Published
2017-10-23
The certificate import component in IDEMIA (formerly Morpho) MorphoSmart 1300 Series (aka MSO 1300 Series) devices allows local users to obtain a command shell, and consequently gain privileges, via unspecified vectors. NOTE: the vendor disputes this because there is no command shell in the product or in the associated SDK
CVSS Score
7.8
EPSS Score
0.0
Published
2017-10-23
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents and thus accepts any type of file, such as with a tickets.php request that is modified with a .html extension changed to a .exe extension. An attacker can leverage this vulnerability to upload arbitrary files on the web application having malicious content.
CVSS Score
9.8
EPSS Score
0.384
Published
2017-10-23
DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7.7.1, 7.7.2, 7.7.3, 7.7.5, 7.7.6, 7.9.0, and 7.9.1 via a crafted URI.
CVSS Score
6.1
EPSS Score
0.008
Published
2017-10-23
Cisco Small Business SA520 and SA540 devices with firmware 2.1.71 and 2.2.0.7 allow ../ directory traversal in scgi-bin/platform.cgi via the thispage parameter, for reading arbitrary files.
CVSS Score
7.5
EPSS Score
0.005
Published
2017-10-23