Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In February 2019
CVE-2019-7402
An issue was discovered in PHPMyWind 5.5. The GetQQ function in include/func.class.php allows XSS via the cfg_qqcode parameter. This can be exploited via CSRF.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-05
CVE-2019-7403
An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI.
CVSS Score
4.9
EPSS Score
0.003
Published
2019-02-05
CVE-2017-18362
Known exploited
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication.
CVSS Score
9.8
EPSS Score
0.486
Published
2019-02-05
CVE-2018-20753
Known exploited
Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild.
CVSS Score
9.8
EPSS Score
0.372
Published
2019-02-05
CVE-2019-7400
Rukovoditel before 2.4.1 allows XSS.
CVSS Score
6.1
EPSS Score
0.074
Published
2019-02-05
CVE-2018-15655
An issue was discovered in 42Gears SureMDM before 2018-11-27, related to CORS settings. Cross-origin access is possible.
CVSS Score
6.5
EPSS Score
0.003
Published
2019-02-05
CVE-2018-15656
An issue was discovered in the registration API endpoint in 42Gears SureMDM before 2018-11-27. An attacker can submit a GET request to /api/register/:email, where :email is a base64 encoded e-mail address, to receive confirmation as to whether a user account exists in the system with the specified e-mail address. The request must be made with an "apiKey" value in the "ApiKey" header.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-02-05
CVE-2018-15657
An SSRF issue was discovered in 42Gears SureMDM before 2018-11-27 via the /api/DownloadUrlResponse.ashx "url" parameter.
CVSS Score
7.3
EPSS Score
0.072
Published
2019-02-05
CVE-2018-15658
An issue was discovered in 42Gears SureMDM before 2018-11-27. By visiting the page found at /console/ConsolePage/Master.html, an attacker is able to see the markup that would be presented to an authenticated user. This is caused by the session validation occurring after the initial markup is loaded. This results in a list of unprotected API endpoints that disclose call logs, SMS logs, and user-account data.
CVSS Score
7.5
EPSS Score
0.008
Published
2019-02-05
CVE-2018-15659
An issue was discovered in 42Gears SureMDM before 2018-11-27, related to the access policy for Silverlight applications. Cross-origin access is possible.
CVSS Score
6.5
EPSS Score
0.003
Published
2019-02-05


Products
Pricing
Contact Us

Shodan ® - All rights reserved