Security Vulnerabilities - CVEs Published In October 2018
An issue was discovered in Descor Infocad FM before 3.1.0.0. An unauthenticated web service allows the retrieval of files on the web server and on reachable SMB servers.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-10-10
tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation.
CVSS Score
5.3
EPSS Score
0.004
Published
2018-10-10
tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1.
CVSS Score
3.7
EPSS Score
0.004
Published
2018-10-10
The web server component of TIBCO Software Inc's Spotfire Statistics Services contains multiple vulnerabilities that may allow the remote execution of code. Without needing to authenticate, an attacker may be able to remotely execute code with the permissions of the system account used to run the web server component. Affected releases are TIBCO Software Inc. TIBCO Spotfire Statistics Services versions up to and including 7.11.0.
CVSS Score
9.8
EPSS Score
0.026
Published
2018-10-10
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.
CVSS Score
6.5
EPSS Score
0.013
Published
2018-10-10
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.
CVSS Score
9.8
EPSS Score
0.01
Published
2018-10-10
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
CVSS Score
9.8
EPSS Score
0.006
Published
2018-10-10
Insufficient input validation in BIOS update utility in Intel NUC FW kits downloaded before May 24, 2018 may allow a privileged user to potentially trigger a denial of service or information disclosure via local access.
CVSS Score
6.0
EPSS Score
0.0
Published
2018-10-10
Insufficient session validation in the webserver component of the Intel Rapid Web Server 3 may allow an unauthenticated user to potentially disclose information via network access.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-10-10
Improper password hashing in firmware in Intel Server Board (S7200AP,S7200APR) and Intel Compute Module (HNS7200AP, HNS7200AP) may allow a privileged user to potentially disclose firmware passwords via local access.
CVSS Score
5.5
EPSS Score
0.001
Published
2018-10-10