Security Vulnerabilities - CVEs Published In 2018
Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports.
CVSS Score
5.3
EPSS Score
0.001
Published
2018-11-20
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
CVSS Score
8.8
EPSS Score
0.004
Published
2018-11-19
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
CVSS Score
9.8
EPSS Score
0.019
Published
2018-11-19
Arbitrary file upload in jQuery Upload File <= 4.0.2
CVSS Score
9.8
EPSS Score
0.286
Published
2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
CVSS Score
9.1
EPSS Score
0.003
Published
2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
CVSS Score
9.9
EPSS Score
0.005
Published
2018-11-19
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
CVSS Score
9.8
EPSS Score
0.012
Published
2018-11-19
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
CVSS Score
6.2
EPSS Score
0.001
Published
2018-11-19
BestXsoftware Best Free Keylogger before 6.0.0 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVSS Score
7.8
EPSS Score
0.002
Published
2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
CVSS Score
9.8
EPSS Score
0.11
Published
2018-11-19