Security Vulnerabilities - CVEs Published In March 2019
SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50, does not sufficiently encode user-controlled inputs, which results in cross-site scripting (XSS) vulnerability.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-03-12
Banking services from SAP 9.0 (FSAPPL version 5) and SAP S/4HANA Financial Products Subledger (S4FPSL, version 1) performs an inadequate authorization check for an authenticated user, potentially resulting in escalation of privileges.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-03-12
SAP HANA extended application services, version 1, advanced does not sufficiently validate an XML document accepted from an authenticated developer with privileges to the SAP space (XML External Entity vulnerability).
CVSS Score
6.5
EPSS Score
0.008
Published
2019-03-12
azure-umqtt-c (available through GitHub prior to 2017 October 6) allows remote attackers to cause a denial of service via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.212
Published
2019-03-12
Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.
CVSS Score
9.1
EPSS Score
0.006
Published
2019-03-12
An incomplete cryptography of the data store function by using hidden tag in Nablarch 5 (5, and 5u1 to 5u13) allows remote attackers to obtain information of the stored data, to register invalid value, or alter the value via unspecified vectors.
CVSS Score
9.1
EPSS Score
0.002
Published
2019-03-12
Cross-site request forgery (CSRF) vulnerability in FormCraft 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-03-12
Data Leakage Attacks vulnerability in the web interface in McAfee Database Security prior to the 4.6.6 March 2019 update allows local users to expose passwords via incorrectly auto completing password fields in the admin browser login screen.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-03-12
Mailtraq WebMail version 2.17.7.3550 has Persistent Cross Site Scripting (XSS) via the body of an e-mail message. To exploit the vulnerability, the victim must open an email with malicious Javascript inserted into the body of the email as an iframe.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-03-12
The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f devices has Persistent XSS via the Port Alias field under Serial Setting.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-03-12