Security Vulnerabilities - CVEs Published In November 2017
In Home Assistant before 0.57, it is possible to inject JavaScript code into a persistent notification via crafted Markdown text, aka XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-11-10
In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter.
CVSS Score
9.8
EPSS Score
0.169
Published
2017-11-10
In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detailtemplate parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-11-10
Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-11-10
XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi.
CVSS Score
6.1
EPSS Score
0.004
Published
2017-11-10
In Inedo BuildMaster before 5.8.2, XslTransform was used where XslCompiledTransform should have been used.
CVSS Score
9.8
EPSS Score
0.008
Published
2017-11-10
Inedo BuildMaster before 5.8.2 has XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-11-10
An Open Redirect vulnerability in Inedo BuildMaster before 5.8.2 allows remote attackers to redirect users to arbitrary web sites.
CVSS Score
6.1
EPSS Score
0.003
Published
2017-11-10
Sanic before 0.5.1 allows reading arbitrary files with directory traversal, as demonstrated by the /static/..%2f substring.
CVSS Score
7.5
EPSS Score
0.003
Published
2017-11-10
An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Due to the user-specific configuration being loaded from "~/.confire.yaml" using the yaml.load function, a YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.
CVSS Score
9.8
EPSS Score
0.019
Published
2017-11-10