Security Vulnerabilities - CVEs Published In March 2019
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has directory traversal via a direct request for a listing of an image directory such as an assets/ directory.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-03-21
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has HTML injection via the Search Bar.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-03-21
PHP Scripts Mall Entrepreneur Job Portal Script 3.0.1 has stored Cross-Site Scripting (XSS) via the Full Name field.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-03-21
bin/statistics in TWiki 6.0.2 allows cross-site scripting (XSS) via the webs parameter.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-03-21
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. The login form passes user input directly to a shell command without any kind of escaping or validation in /usr/share/www/check.lp file. An attacker is able to perform command injection using the "password" parameter in the login form.
CVSS Score
9.8
EPSS Score
0.369
Published
2019-03-21
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. After successful authentication, the device sends an authentication cookie to the end user such that they can access the devices web administration panel. This token is hard-coded to a string in the source code (/usr/share/www/check.lp file). By setting this cookie in a browser, an attacker is able to maintain access to every ENC-400 device without knowing the password, which results in authentication bypass. Even if a user changes the password on the device, this token is static and unchanged.
CVSS Score
8.1
EPSS Score
0.437
Published
2019-03-21
An issue was discovered on Teracue ENC-400 devices with firmware 2.56 and below. While the web interface requires authentication before it can be interacted with, a large portion of the HTTP endpoints are missing authentication. An attacker is able to view these pages before being authenticated, and some of these pages may disclose sensitive information.
CVSS Score
7.5
EPSS Score
0.444
Published
2019-03-21
Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
CVSS Score
8.8
EPSS Score
0.046
Published
2019-03-21
www/soap/application/MCSoap/Logs.php in MailCleaner Community Edition 2018.08 allows remote attackers to execute arbitrary OS commands.
CVSS Score
8.8
EPSS Score
0.753
Published
2019-03-21
Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey.
CVSS Score
6.8
EPSS Score
0.002
Published
2019-03-21