Security Vulnerabilities - CVEs Published In 2018
International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
CVSS Score
9.8
EPSS Score
0.021
Published
2018-11-04
The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.
CVSS Score
4.8
EPSS Score
0.005
Published
2018-11-04
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
CVSS Score
8.8
EPSS Score
0.034
Published
2018-11-04
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery in the file session provider in file.go. This is related to session ID handling in the go-macaron/session code for Macaron.
CVSS Score
9.8
EPSS Score
0.937
Published
2018-11-04
Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
CVSS Score
9.8
EPSS Score
0.071
Published
2018-11-04
An issue was discovered in PublicCMS V4.0. It allows XSS by modifying the page_list "attached" attribute (which typically has 'class="icon-globe icon-large"' in its value), as demonstrated by an 'UPDATE sys_module SET attached = "[XSS]" WHERE id="page_list"' statement.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-11-04
xhEditor 1.2.2 allows XSS via JavaScript code in the SRC attribute of an IFRAME element within the editor's source-code view.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-11-03
Vanilla 2.6.x before 2.6.4 allows remote code execution.
CVSS Score
9.8
EPSS Score
0.049
Published
2018-11-03
There is an infinite loop in the Exiv2::Image::printIFDStructure function of image.cpp in Exiv2 0.27-RC1. A crafted input will lead to a remote denial of service attack.
CVSS Score
6.5
EPSS Score
0.006
Published
2018-11-03
Integrated Data Protection Appliance versions 2.0, 2.1, and 2.2 contain undocumented accounts named 'support' and 'admin' that are protected with default passwords. These accounts have limited privileges and can access certain system files only. A malicious user with the knowledge of the default passwords may potentially log in to the system and gain read and write access to certain system files.
CVSS Score
8.8
EPSS Score
0.005
Published
2018-11-02