Security Vulnerabilities - CVEs Published In February 2019
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing
CVSS Score
9.8
EPSS Score
0.22
Published
2019-02-15
In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-02-15
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-02-14
NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software does not validate or incorrectly validates input that can affect the control flow or data flow of a program, which may lead to denial of service or escalation of privileges. Android ID: A-70857947.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-02-13
NVIDIA Tegra library contains a vulnerability in libnvmmlite_video.so, where referencing memory after it has been freed may lead to denial of service or possible escalation of privileges. Android ID: A-80433161.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-02-13
NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which the software delivers extra data with the buffer and does not properly validated the extra data, which may lead to denial of service or escalation of privileges. Android ID: A-80198474.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-02-13
The TextEditor 2.0 in ABB CP400 Panel Builder versions 2.0.7.05 and earlier contain a vulnerability in the file parser of the Text Editor wherein the application doesn't properly prevent the insertion of specially crafted files which could allow arbitrary code execution.
CVSS Score
7.8
EPSS Score
0.003
Published
2019-02-13
In msmtp 1.8.2 and mpop 1.4.3, when tls_trust_file has its default configuration, certificate-verification results are not properly checked.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-02-13
Open redirect vulnerability in OpenAM (Open Source Edition) 13.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-02-13
Input validation issue in POWER EGG(Ver 2.0.1, Ver 2.02 Patch 3 and earlier, Ver 2.1 Patch 4 and earlier, Ver 2.2 Patch 7 and earlier, Ver 2.3 Patch 9 and earlier, Ver 2.4 Patch 13 and earlier, Ver 2.5 Patch 12 and earlier, Ver 2.6 Patch 8 and earlier, Ver 2.7 Patch 6 and earlier, Ver 2.7 Government Edition Patch 7 and earlier, Ver 2.8 Patch 6 and earlier, Ver 2.8c Patch 5 and earlier, Ver 2.9 Patch 4 and earlier) allows remote attackers to execute EL expression on the server via unspecified vectors.
CVSS Score
9.8
EPSS Score
0.009
Published
2019-02-13