Security Vulnerabilities - CVEs Published In 2018
Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-28
Mezzanine CMS v4.3.1 allows XSS via the /admin/blog/blogcategory/add/?_to_field=id&_popup=1 title parameter at admin/blog/blogpost/add/.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-28
Evolution CMS 1.4.x allows XSS via the page weblink title parameter to the manager/ URI.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-12-28
Evolution CMS 1.4.x allows XSS via the manager/ search parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-12-28
The mintToken function of Nexxus (NXX) aka NexxusToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-12-28
The mintToken function of SwftCoin (SWFTC) aka SwftCoin, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-12-28
The mintToken function of Pylon (PYLNT) aka PylonToken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value, a related issue to CVE-2018-11812.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-12-28
main.aspx in Microstrategy Analytics 10.4.0026.0049 and earlier has CSRF. NOTE: The vendor claims that documentation for preventing a CSRF attack has been provided (https://community.microstrategy.com/s/article/KB37643-New-security-feature-introduced-in-MicroStrategy-Web-9-0?language=en_US) and disagrees that this issue is a vulnerability. They also claim that MicroStrategy was never properly informed of this issue via normal support channels or their vulnerability reporting page on their website, so they were unable to evaluate the report or explain how this is something their customers view as a feature and not a security vulnerability
CVSS Score
8.8
EPSS Score
0.002
Published
2018-12-28
Orange Livebox 00.96.320S devices have an undocumented /system_firmwarel.stm URI for manual firmware update. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
CVSS Score
7.5
EPSS Score
0.002
Published
2018-12-28
Orange Livebox 00.96.320S devices allow cgi-bin/autodialing.exe and cgi-bin/phone_test.exe CSRF, leading to arbitrary outbound telephone calls to an attacker-specified telephone number. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
CVSS Score
5.4
EPSS Score
0.001
Published
2018-12-28