Security Vulnerabilities - CVEs Published In 2018
LimeSurvey version 3.15.5 contains a Cross-site scripting (XSS) vulnerability in Survey Resource zip upload, resulting in Javascript code execution against LimeSurvey administrators. Fixed in version 3.15.6.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-12-21
There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.
CVSS Score
9.8
EPSS Score
0.035
Published
2018-12-21
SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.
CVSS Score
8.1
EPSS Score
0.168
Published
2018-12-21
Incorrect access control in StackStorm API (st2api) in StackStorm before 2.9.2 and 2.10.x before 2.10.1 allows an attacker (who has a StackStorm account and is authenticated against the StackStorm API) to retrieve datastore items for other users by utilizing the /v1/keys "?scope=all" and "?user=<username>" query filter parameters. Enterprise editions with RBAC enabled are not affected.
CVSS Score
5.3
EPSS Score
0.004
Published
2018-12-21
The Floureon IP Camera SP012 provides a root terminal on a UART serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVSS Score
6.8
EPSS Score
0.001
Published
2018-12-21
Hancom Office 2018 10.0.0.8214 and earlier, Hancom Office NEO 9.6.1.10472 and earlier, Hancom Office 2014 9.1.1.4540 and earlier, Hancom Office 2010 8.5.8.1724 and earlier versions have a heap overflow vulnerability when handling Compound File in document. This result in a program crash or denial of service conditions.
CVSS Score
5.5
EPSS Score
0.002
Published
2018-12-21
SKCertService 2.5.5 and earlier contains a vulnerability that could allow remote attacker to execute arbitrary code. This vulnerability exists due to the way .dll files are loaded by SKCertService. It allows an attacker to load a .dll of the attacker's choosing that could execute arbitrary code without the user's knowledge.
CVSS Score
7.8
EPSS Score
0.006
Published
2018-12-21
An Address Bar Spoofing vulnerability in Trend Micro Dr. Safety for Android (Consumer) versions 3.0.1324 and below could allow an attacker to potentially trick a victim into visiting a malicious URL using address bar spoofing on the Private Browser of the app on vulnerable installations.
CVSS Score
6.5
EPSS Score
0.003
Published
2018-12-21
A Trend Micro OfficeScan XG weak file permissions vulnerability on a particular folder for a particular group may allow an attacker to alter the files, which could lead to other exploits on vulnerable installations.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-12-21
A Trend Micro OfficeScan XG weak file permissions vulnerability may allow an attacker to potentially manipulate permissions on some key files to modify other files and folders on vulnerable installations.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-12-21