Security Vulnerabilities - CVEs Published In December 2017
Techno - Portfolio Management Panel through 2017-11-16 allows XSS via the panel/search.php s parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-12-15
Techno - Portfolio Management Panel through 2017-11-16 allows SQL Injection via the panel/search.php s parameter.
CVSS Score
8.8
EPSS Score
0.002
Published
2017-12-15
Techno - Portfolio Management Panel through 2017-11-16 allows full path disclosure via an invalid s parameter to panel/search.php.
CVSS Score
4.3
EPSS Score
0.002
Published
2017-12-15
The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 has SSRF via the endpoint parameter to /api/targets/ping.
CVSS Score
8.6
EPSS Score
0.003
Published
2017-12-15
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root folder to a file of choice and querying passenger-status --show=xml.
CVSS Score
4.7
EPSS Score
0.001
Published
2017-12-14
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
CVSS Score
8.8
EPSS Score
0.003
Published
2017-12-14
A regular expression Denial of Service (DoS) vulnerability in the file lib/ecstatic.js of the ecstatic npm package, before version 2.0.0, allows a remote attacker to overload and crash a server by passing a maliciously crafted string.
CVSS Score
7.5
EPSS Score
0.015
Published
2017-12-14
A privilege escalation in Fortinet FortiClient Windows 5.4.3 and earlier as well as 5.6.0 allows attacker to gain privilege via exploiting the Windows "security alert" dialog thereby popping up when the "VPN before logon" feature is enabled and an untrusted certificate chain.
CVSS Score
8.1
EPSS Score
0.013
Published
2017-12-14
gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-12-14
examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-12-14