Security Vulnerabilities - CVEs Published In October 2016
Red Hat CloudForms Management Engine 4.1 does not properly handle regular expressions passed to the expression engine via the JSON API and the web-based UI, which allows remote authenticated users to execute arbitrary shell commands by leveraging the ability to view and filter collections.
CVSS Score
8.8
EPSS Score
0.006
Published
2016-10-07
The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation.
CVSS Score
7.5
EPSS Score
0.011
Published
2016-10-07
The lmadmin component in Flexera FlexNet Publisher (aka Flex License Manager) before 2015 SP5 and 2016 before R1 SP1, as used by Citrix License Server for Windows before 11.14.0.1 and Citrix License Server VPX before 11.14.0.1, allows remote attackers to cause a denial of service (crash) via a type 2F packet with a '01 19' opcode.
CVSS Score
7.5
EPSS Score
0.017
Published
2016-10-07
The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended Secure Boot restrictions and execute untrusted code by appending ACPI tables to the initrd.
CVSS Score
7.4
EPSS Score
0.0
Published
2016-10-07
Cross-site scripting (XSS) vulnerability in the advanced settings page in Fortinet FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.3, in hardware models with a hard disk, and FortiAnalyzer 5.x before 5.0.13 and 5.2.x before 5.2.3 allows remote administrators to inject arbitrary web script or HTML via vectors related to report filters.
CVSS Score
5.4
EPSS Score
0.003
Published
2016-10-07
The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.
CVSS Score
7.5
EPSS Score
0.032
Published
2016-10-07
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
CVSS Score
7.5
EPSS Score
0.921
Published
2016-10-07
Zotpress plugin for WordPress SQLi in zp_get_account()
CVSS Score
9.8
EPSS Score
0.114
Published
2016-10-06
Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
CVSS Score
9.8
EPSS Score
0.022
Published
2016-10-06
Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
CVSS Score
9.8
EPSS Score
0.023
Published
2016-10-06