Security Vulnerabilities - CVEs Published In March 2019
The AirMore application through 1.6.1 for Android allows remote attackers to cause a denial of service (system hang) via many simultaneous /?Key=PhoneRequestAuthorization requests.
CVSS Score
7.5
EPSS Score
0.184
Published
2019-03-15
The AirDrop application through 2.0 for Android allows remote attackers to cause a denial of service via a client that makes many socket connections through a configured port.
CVSS Score
7.5
EPSS Score
0.18
Published
2019-03-15
The Screen Stream application through 3.0.15 for Android allows remote attackers to cause a denial of service via many simultaneous /start-stop requests.
CVSS Score
7.5
EPSS Score
0.196
Published
2019-03-15
The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. NOTE: the vendor disputes the risk because there is a clear warning next to the button for importing a snapshot
CVSS Score
6.1
EPSS Score
0.081
Published
2019-03-15
Cobham Satcom Sailor 250 and 500 devices before 1.25 contained persistent XSS, which could be exploited by an unauthenticated threat actor via the /index.lua?pageID=Phone%20book name field.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-03-15
Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unauthenticated password reset vulnerability. This could allow modification of any user account's password (including the default "admin" account), without prior knowledge of their password. All that is required is knowledge of the username and attack vector (/index.lua?pageID=Administration usernameAdmChange, passwordAdmChange1, and passwordAdmChange2 fields).
CVSS Score
9.8
EPSS Score
0.01
Published
2019-03-15
Cobham Satcom Sailor 800 and 900 devices contained a vulnerability that allowed for arbitrary writing of content to the system's configuration file. This was exploitable via multiple attack vectors depending on the device's configuration. Further analysis also indicated this vulnerability could be leveraged to achieve a Denial of Service (DoS) condition, where the device would require a factory reset to return to normal operation.
CVSS Score
7.5
EPSS Score
0.004
Published
2019-03-15
Cobham Satcom Sailor 800 and 900 devices contained persistent XSS, which required administrative access to exploit. The vulnerability was exploitable by acquiring a copy of the device's configuration file, inserting an XSS payload into a relevant field (e.g., Satellite name), and then restoring the malicious configuration file.
CVSS Score
4.8
EPSS Score
0.003
Published
2019-03-15
An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe provides "NT AUTHORITY\SYSTEM" access to unprivileged users via the --system option.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-03-15
An issue was discovered in CapMon Access Manager 5.4.1.1005. CALRunElevated.exe attempts to enforce access control by adding an unprivileged user to the local Administrators group for a very short time to execute a single command. However, the user is left in that group if the command crashes, and there is also a race condition in all cases.
CVSS Score
7.0
EPSS Score
0.0
Published
2019-03-15