Security Vulnerabilities - CVEs Published In October 2017
In the "NQ Contacts Backup & Restore" application 1.1 for Android, RC4 encryption is used to secure the user password locally stored in shared preferences. Because there is a static RC4 key, an attacker can gain access to user credentials more easily by leveraging access to the preferences XML file.
CVSS Score
7.8
EPSS Score
0.0
Published
2017-10-29
In the "NQ Contacts Backup & Restore" application 1.1 for Android, DES encryption with a static key is used to secure transmitted contact data. This makes it easier for remote attackers to obtain cleartext information by sniffing the network.
CVSS Score
7.5
EPSS Score
0.001
Published
2017-10-29
In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.
CVSS Score
9.8
EPSS Score
0.002
Published
2017-10-29
SQL injection vulnerability in the EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote authenticated administrators to execute arbitrary SQL commands via the graph parameter to module/capacity_per_label/index.php.
CVSS Score
7.2
EPSS Score
0.004
Published
2017-10-29
Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_id' to add_to_cart.php, a different vulnerability than CVE-2008-4461.
CVSS Score
9.8
EPSS Score
0.025
Published
2017-10-29
ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid parameter, a different vulnerability than CVE-2008-3604.
CVSS Score
9.8
EPSS Score
0.025
Published
2017-10-29
rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects.
CVSS Score
9.8
EPSS Score
0.001
Published
2017-10-29
The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction.
CVSS Score
5.5
EPSS Score
0.001
Published
2017-10-29
ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File Download via the token parameter to download.php.
CVSS Score
7.5
EPSS Score
0.228
Published
2017-10-29
my_profile.php in Ingenious School Management System 2.3.0 allows a student or teacher to upload an arbitrary file.
CVSS Score
8.8
EPSS Score
0.033
Published
2017-10-29