Security Vulnerabilities - CVEs Published In November 2018
An XXE vulnerability exists in CASE Suite Versions 3.10 and prior when processing parameter entities, which may allow remote file disclosure.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-11-02
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. This vulnerability could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) runtime.
CVSS Score
9.8
EPSS Score
0.039
Published
2018-11-02
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. A remote attacker could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. If InduSoft Web Studio remote communication security was not enabled, or a password was left blank, a remote user could send a carefully crafted packet to invoke an arbitrary process, with potential for code to be executed. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Edge HMI server machine.
CVSS Score
9.8
EPSS Score
0.098
Published
2018-11-02
An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.
CVSS Score
6.5
EPSS Score
0.002
Published
2018-11-02
A Cross Site Request Forgery (CSRF) vulnerability in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allows an attacker to control the RainMachine device via the REST API.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-11-01
An authentication bypass vulnerability exists in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application allowing an unauthenticated attacker to perform authenticated actions on the device via a 127.0.0.1:port value in the HTTP 'Host' header, as demonstrated by retrieving credentials.
CVSS Score
9.8
EPSS Score
0.043
Published
2018-11-01
A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by triggering an API page request.
CVSS Score
6.5
EPSS Score
0.002
Published
2018-11-01
NetGain Enterprise Manager (EM) is affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities in versions before 10.1.12.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-11-01
NetGain Enterprise Manager (EM) is affected by OS Command Injection vulnerabilities in versions before 10.0.57. These vulnerabilities could allow remote authenticated attackers to inject arbitrary code, resulting in remote code execution.
CVSS Score
7.2
EPSS Score
0.038
Published
2018-11-01
M2SOFT Report Designer Viewer 5.0 allows a Buffer Overflow with Extended Instruction Pointer (EIP) control via a crafted MRD file.
CVSS Score
7.8
EPSS Score
0.001
Published
2018-11-01