Security Vulnerabilities - CVEs Published In October 2018
In the 5.4.0 version of the Fork CMS software, HTML Injection and Stored XSS vulnerabilities were discovered via the /backend/ajax URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-10-02
In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter.
CVSS Score
6.1
EPSS Score
0.02
Published
2018-10-02
On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, GetDownLoadSyslog.sh, and upload_firmware.cgi do not require authentication, which allows remote attackers to execute arbitrary code.
CVSS Score
9.8
EPSS Score
0.105
Published
2018-10-02
On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 Command Injection via shell metacharacters in the POST data, because this data is sent directly to the "system" library function.
CVSS Score
9.8
EPSS Score
0.177
Published
2018-10-02
XSS exists in admin/gb-dashboard-widget.php in the Gwolle Guestbook (gwolle-gb) plugin before 2.5.4 for WordPress via the PATH_INFO to wp-admin/index.php
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-02
An issue was discovered in JEESNS 1.3. The XSS filter in com.lxinet.jeesns.core.utils.XssHttpServletRequestWrapper.java could be bypassed, as demonstrated by a <svg/onLoad=confirm substring. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-12429.
CVSS Score
5.4
EPSS Score
0.002
Published
2018-10-02
An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. Cleartext Transmission of Sensitive Information allows man-in-the-middle attackers to eavesdrop authentication information between the application and the server.
CVSS Score
8.1
EPSS Score
0.001
Published
2018-10-02
An issue was discovered in the MensaMax (aka com.breustedt.mensamax) application 4.3 for Android. The use of a Hard-coded DES Cryptographic Key allows an attacker who decodes the application to decrypt transmitted data such as the login username and password.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-10-02
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
CVSS Score
4.9
EPSS Score
0.007
Published
2018-10-02
AirTies Air 5750 devices with software 1.0.0.18 have XSS via the top.html productboardtype parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-10-02