Security Vulnerabilities - CVEs Published In November 2018
Cross-site scripting in handle.php in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "options[sysname]" parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-27
Session Fixation in the web application for TerraMaster TOS version 3.1.03 allows attackers to control users' session cookies via JavaScript.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-11-27
Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms.
CVSS Score
8.8
EPSS Score
0.018
Published
2018-11-27
A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API.
CVSS Score
8.8
EPSS Score
0.117
Published
2018-11-27
System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter.
CVSS Score
8.8
EPSS Score
0.204
Published
2018-11-27
NUUO CMS All versions 3.3 and prior the application allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.678
Published
2018-11-27
NUUO CMS All versions 3.3 and prior the application allows the upload of arbitrary files that can modify or overwrite configuration files to the server, which could allow remote code execution.
CVSS Score
9.8
EPSS Score
0.672
Published
2018-11-27
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.
CVSS Score
8.8
EPSS Score
0.668
Published
2018-11-27
Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS 7.12.3 allows authenticated users to inject arbitrary web script via the Header Name of a content (Blog, Content Page, etc.). The vulnerability is exploited when updating or removing public access of a content.
CVSS Score
4.8
EPSS Score
0.005
Published
2018-11-27
NVIDIA GeForce Experience contains a vulnerability in all versions prior to 3.16 on Windows in which an attacker who has access to a local user account can plant a malicious dynamic link library (DLL) during application installation, which may lead to escalation of privileges.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-11-27