Security Vulnerabilities - CVEs Published In October 2018
Leanote 2.6.1 has XSS via the Blog Basic Setting title field, which is mishandled during rendering of the "likes" page.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-22
ServersCheck Monitoring Software before 14.3.4 allows SQL Injection by an authenticated user.
CVSS Score
8.8
EPSS Score
0.003
Published
2018-10-21
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVSS Score
6.5
EPSS Score
0.001
Published
2018-10-21
Fiyo CMS 2.0.7 has XSS via the dapur\apps\app_user\edit_user.php name parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-21
ThinkPHP 3.2.4 has SQL Injection via the order parameter because the Library/Think/Db/Driver.class.php parseOrder function mishandles the key variable.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-10-21
In Teeworlds before 0.6.5, connection packets could be forged. There was no challenge-response involved in the connection build up. A remote attacker could send connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets.
CVSS Score
7.5
EPSS Score
0.02
Published
2018-10-20
TeaKKi 2.7 allows XSS via a crafted onerror attribute for a picture's URL.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-20
Cross-Site Request Forgery (CSRF) vulnerability was discovered in the 8.3 version of Zenario Content Management System via the admin/organizer.ajax.php?path=zenario__content%2Fpanels%2Fcontent URI.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-10-19
TP-Link TL-SC3130 1.6.18P12_121101 devices allow unauthenticated RTSP stream access, as demonstrated by a /jpg/image.jpg URI.
CVSS Score
7.5
EPSS Score
0.376
Published
2018-10-19
Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value.
CVSS Score
5.5
EPSS Score
0.001
Published
2018-10-19