Security Vulnerabilities - CVEs Published In March 2019
ChinaMobile PLC Wireless Router GPN2.4P21-C-CN devices with firmware W2001EN-00 have an Incorrect Access Control vulnerability via the cgi-bin/webproc?getpage=html/index.html subpage=wlsecurity URI, allowing an Attacker to change the Wireless Security Password.
CVSS Score
8.8
EPSS Score
0.158
Published
2019-03-21
IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 binaries load shared libraries from an untrusted path potentially giving low privilege user full access to root by loading a malicious shared library. IBM X-Force ID: 158014.
CVSS Score
8.4
EPSS Score
0.0
Published
2019-03-21
An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application failed to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root. An attacker would need local access to the machine for a successful exploit.
CVSS Score
7.1
EPSS Score
0.0
Published
2019-03-21
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
CVSS Score
9.8
EPSS Score
0.02
Published
2019-03-21
If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2.
CVSS Score
8.1
EPSS Score
0.005
Published
2019-03-21
A bug in handling the ignore files and directories feature in serve 6.5.3 allows an attacker to read a file or list the directory that the victim has not allowed access to.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-03-21
A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-03-21
A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server.
CVSS Score
7.5
EPSS Score
0.006
Published
2019-03-21
An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Due to a lack of user input validation in parameter handling, it has various SQL injections, including on the login form, and on the search form for a key ring number.
CVSS Score
9.8
EPSS Score
0.068
Published
2019-03-21
An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Passwords are stored using reversible encryption rather than as a hash value, and the used Vigenere algorithm is badly outdated. Moreover, the encryption key is static and too short. Due to this, the passwords stored by the application can be easily decrypted.
CVSS Score
9.8
EPSS Score
0.001
Published
2019-03-21