Interesting timing, this just found, the same time the worldwide ransomware attack is taking hold...
Remote code execution flaws exposed in Kaspersky software
There are four vulnerabilities in total; a cross-site scripting bug, a cross-site request forgery flaw, improper privilege management and improper limits set on pathnames to restricted directories, leading to the bypass of security protocols, information leaks, and remote code execution.
The first issue, a cross-site scripting bug (CVE-2017-9813), occurs as the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users -- in particular, a feature allows configuring shell scripts to be executed when certain events occur.
If exploited, information stored in user cookies can be leaked, and if malicious scripts are loaded, it may be possible to remotely execute code on victim systems.