Security Vulnerabilities - CVEs Published In 2018
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-12-06
Persistent Cross-Site Scripting (XSS) in the advancedsetup_websiteblocking.html Website Blocking page of the Actiontec C1000A router with firmware through CAC004-31.30L.95 allows a remote attacker to inject arbitrary HTML into the Website Blocking page by inserting arbitrary HTML into the 'TodUrlAdd' URL parameter in a /urlfilter.cmd POST request.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-06
Pixelimity 1.0 has Persistent XSS via the admin/portfolio.php data[title] parameter, as demonstrated by a crafted onload attribute of an SVG element.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-06
Norton Password Manager for Android (formerly Norton Identity Safe) may be susceptible to a cross site scripting (XSS) exploit, which is a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to potentially bypass access controls such as the same-origin policy.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-12-06
DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.
CVSS Score
4.8
EPSS Score
0.002
Published
2018-12-06
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
CVSS Score
4.8
EPSS Score
0.003
Published
2018-12-06
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
CVSS Score
4.8
EPSS Score
0.004
Published
2018-12-06
FreeSWITCH through 1.8.2, when mod_xml_rpc is enabled, allows remote attackers to execute arbitrary commands via the api/system or txtapi/system (or api/bg_system or txtapi/bg_system) query string on TCP port 8080, as demonstrated by an api/system?calc URI. This can also be exploited via CSRF. Alternatively, the default password of works for the freeswitch account can sometimes be used.
CVSS Score
7.5
EPSS Score
0.134
Published
2018-12-06
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute arbitrary commands by tweaking the original filename of the STIX import.
CVSS Score
8.8
EPSS Score
0.442
Published
2018-12-06
In unflatten of GraphicBuffer.cpp, there is a possible bad fd close due to improper input validation. This could lead to local escalation of privilege in the system server with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-114223584.
CVSS Score
7.8
EPSS Score
0.0
Published
2018-12-06