Security Vulnerabilities - CVEs Published In October 2016
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
CVSS Score
9.1
EPSS Score
0.004
Published
2016-10-03
FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by disconnecting before authentication has finished.
CVSS Score
7.5
EPSS Score
0.011
Published
2016-10-03
FreeRDP before 1.1.0-beta1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.019
Published
2016-10-03
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.
CVSS Score
4.3
EPSS Score
0.003
Published
2016-10-03
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception.
CVSS Score
6.1
EPSS Score
0.004
Published
2016-10-03
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
CVSS Score
4.3
EPSS Score
0.004
Published
2016-10-03
The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.
CVSS Score
9.8
EPSS Score
0.031
Published
2016-10-03
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
CVSS Score
7.5
EPSS Score
0.066
Published
2016-10-03
The RGW code in Ceph before 10.0.1, when authenticated-read ACL is applied to a bucket, allows remote attackers to list the bucket contents via a URL.
CVSS Score
7.5
EPSS Score
0.005
Published
2016-10-03
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.
CVSS Score
5.5
EPSS Score
0.001
Published
2016-10-03