Security Vulnerabilities - CVEs Published In August 2017
Soplanning 1.32 and earlier generates static links for sharing ICAL calendars with embedded login information, which allows remote attackers to obtain a calendar owner's password via a brute-force attack on the embedded password hash.
CVSS Score
7.5
EPSS Score
0.321
Published
2017-08-31
Directory traversal vulnerability in the file_get_contents function in SOPlanning 1.32 and earlier allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in a URL path parameter.
CVSS Score
5.3
EPSS Score
0.847
Published
2017-08-31
The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name.
CVSS Score
5.3
EPSS Score
0.03
Published
2017-08-31
Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted resource record set.
CVSS Score
6.5
EPSS Score
0.024
Published
2017-08-31
phpFileManager 0.9.8 allows remote attackers to execute arbitrary commands via a crafted URL.
CVSS Score
8.8
EPSS Score
0.525
Published
2017-08-31
Double-free vulnerability in the sPLT chunk structure and png.c in pngcrush before 1.7.87 allows attackers to have unspecified impact via unknown vectors.
CVSS Score
9.8
EPSS Score
0.004
Published
2017-08-31
Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter.
CVSS Score
6.1
EPSS Score
0.009
Published
2017-08-31
An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network.
CVSS Score
7.3
EPSS Score
0.012
Published
2017-08-31
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter.
CVSS Score
6.1
EPSS Score
0.005
Published
2017-08-31
Multiple cross-site scripting (XSS) vulnerabilities in phpThumb() before 1.7.14 allow remote attackers to inject arbitrary web script or HTML via parameters in demo/phpThumb.demo.showpic.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2017-08-31
Page 1