Security Vulnerabilities - CVEs Published In 2017
MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in /clientes/visualizar, which allows remote attackers to inject arbitrary web script or HTML via a crafted description parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2017-11-21
An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4.A specially crafted XLS file can cause memory corruption resulting in remote code execution.
CVSS Score
8.8
EPSS Score
0.007
Published
2017-11-20
An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted XLS file with a formula record can cause memory corruption resulting in remote code execution. An attacker can send a malicious XLS file to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.007
Published
2017-11-20
An exploitable out-of-bounds write vulnerability exists in the xls_mergedCells function of libxls 1.4. . A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.006
Published
2017-11-20
An exploitable out-of-bounds write vulnerability exists in the read_MSAT function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.015
Published
2017-11-20
An exploitable stack based buffer overflow vulnerability exists in the xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability
CVSS Score
8.8
EPSS Score
0.013
Published
2017-11-20
A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1.4, and specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution.
CVSS Score
7.8
EPSS Score
0.009
Published
2017-11-20
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-11-20
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
CVSS Score
5.4
EPSS Score
0.002
Published
2017-11-20
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
CVSS Score
5.4
EPSS Score
0.005
Published
2017-11-20