Security Vulnerabilities - CVEs Published In January 2019
Inappropriate symlink handling and a race condition in the stateful recovery feature implementation could lead to a persistance established by a malicious code running with root privileges in cryptohomed in Google Chrome on Chrome OS prior to 61.0.3163.113 allowed a local attacker to execute arbitrary code via a crafted HTML page.
CVSS Score
7.0
EPSS Score
0.0
Published
2019-01-09
Frog CMS 0.9.5 has XSS in the admin/?/page/edit/1 body field.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-01-09
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-01-09
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.
CVSS Score
7.5
EPSS Score
0.113
Published
2019-01-09
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-01-09
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
CVSS Score
8.8
EPSS Score
0.019
Published
2019-01-09
Improper input validation in the proxy component of McAfee Web Gateway 7.8.2.0 and later allows remote attackers to cause a denial of service via a crafted HTTP request parameter.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-01-09
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
CVSS Score
6.1
EPSS Score
0.037
Published
2019-01-09
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
CVSS Score
6.1
EPSS Score
0.112
Published
2019-01-09
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
CVSS Score
6.1
EPSS Score
0.041
Published
2019-01-09