Security Vulnerabilities - CVEs Published In December 2018
imcat 4.4 allow XSS via a crafted cookie to the root/tools/adbug/binfo.php?cookie URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-30
UWA 2.3.11 allows index.php?g=admin&c=admin&a=add_admin_do CSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-12-30
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/add_pictures.php article ID.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-30
Ivan Cordoba Generic Content Management System (CMS) through 2018-04-28 has XSS via the Administrator/users.php user ID.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-30
A heap-based buffer over-read was discovered in decompileJUMP function in util/decompile.c of libming v0.4.8. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by swftocxx.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-12-30
In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd function of the mxml-node.c file. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted xml file, as demonstrated by mxmldoc.
CVSS Score
5.5
EPSS Score
0.004
Published
2018-12-30
In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in the scan_file function in mxmldoc.c.
CVSS Score
5.5
EPSS Score
0.003
Published
2018-12-30
An issue was discovered in hsweb 3.0.4. It is a reflected XSS vulnerability due to the absence of type parameter checking in FlowableModelManagerController.java.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-30
A CSRF issue was discovered in web/authorization/oauth2/controller/OAuth2ClientController.java in hsweb 3.0.4 because the state parameter in the request is not compared with the state parameter in the session after user authentication is successful.
CVSS Score
8.8
EPSS Score
0.001
Published
2018-12-30
Jspxcms v9.0.0 allows SSRF.
CVSS Score
9.8
EPSS Score
0.004
Published
2018-12-30