Security Vulnerabilities - CVEs Published In November 2018
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
CVSS Score
8.8
EPSS Score
0.01
Published
2018-11-05
An issue has been found in libIEC61850 v1.3. It is a stack-based buffer overflow in prepareGooseBuffer in goose/goose_publisher.c.
CVSS Score
9.8
EPSS Score
0.053
Published
2018-11-05
The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018.
CVSS Score
7.5
EPSS Score
0.012
Published
2018-11-05
A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution.
CVSS Score
8.1
EPSS Score
0.686
Published
2018-11-05
Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta
CVSS Score
9.8
EPSS Score
0.189
Published
2018-11-05
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader!safe_vsnprintf+0x00000000002c4330" issue.
CVSS Score
9.1
EPSS Score
0.017
Published
2018-11-05
An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.
CVSS Score
9.8
EPSS Score
0.001
Published
2018-11-05
An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-05
An issue was discovered in PopojiCMS v2.0.1. admin_library.php allows remote attackers to delete arbitrary files via directory traversal in the po-admin/route.php?mod=library&act=delete id parameter.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-11-05
An issue has been found in libIEC61850 v1.3. It is a NULL pointer dereference in ClientDataSet_getValues in client/ied_connection.c.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-11-05