Security Vulnerabilities - CVEs Published In February 2019
LCDS Laquis SCADA prior to version 4.1.0.4150 allows an authentication bypass, which may allow an attacker access to sensitive data.
CVSS Score
5.3
EPSS Score
0.005
Published
2019-02-05
LCDS Laquis SCADA prior to version 4.1.0.4150 allows improper control of generation of code when opening a specially crafted project file, which may allow remote code execution, data exfiltration, or cause a system crash.
CVSS Score
7.8
EPSS Score
0.005
Published
2019-02-05
LCDS Laquis SCADA prior to version 4.1.0.4150 allows an attacker using a specially crafted project file to supply a pointer for a controlled memory address, which may allow remote code execution, data exfiltration, or cause a system crash.
CVSS Score
7.8
EPSS Score
0.005
Published
2019-02-05
An exploitable SQL injection vulnerability exists in the administrator web portal function of coTURN prior to version 4.5.0.9. A login message with a specially crafted username can cause an SQL injection, resulting in authentication bypass, which could give access to the TURN server administrator web portal. An attacker can log in via the external interface of the TURN server to trigger this vulnerability.
CVSS Score
9.1
EPSS Score
0.005
Published
2019-02-05
On BIG-IP APM 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.3 and 12.1.0 to 12.1.3.7, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-02-05
The PS PHPCaptcha WP plugin before v1.2.0 for WordPress mishandles sanitization of input values.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-02-05
In the Parallax Scroll (aka adamrob-parallax-scroll) plugin before 2.1 for WordPress, includes/adamrob-parralax-shortcode.php allows XSS via the title text. ("parallax" has a spelling change within the PHP filename.)
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-05
Haraka version 2.8.8 and earlier comes with a plugin for processing attachments for zip files. Versions 2.8.8 and earlier can be vulnerable to command injection.
CVSS Score
9.8
EPSS Score
0.742
Published
2019-02-05
Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation.
CVSS Score
7.5
EPSS Score
0.046
Published
2019-02-05
The kube-rbac-proxy container before version 0.4.1 as used in Red Hat OpenShift Container Platform does not honor TLS configurations, allowing for use of insecure ciphers and TLS 1.0. An attacker could target traffic sent over a TLS connection with a weak configuration and potentially break the encryption.
CVSS Score
3.7
EPSS Score
0.001
Published
2019-02-05