Security Vulnerabilities - CVEs Published In March 2019
Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF.
CVSS Score
8.8
EPSS Score
0.006
Published
2019-03-07
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-03-07
An issue was discovered in PHPMyWind 5.5. The username parameter of the /install/index.php page has a stored Cross-site Scripting (XSS) vulnerability, as demonstrated by admin/login.php.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-03-07
An issue was discovered in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-03-07
njiandan-cms through 2013-05-23 has index.php/admin/user_new CSRF to add an administrator.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-03-07
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the first textbox of "System setting->site setting" of admin/index.php, aka site_name.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-03-07
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the second textbox of "System setting->site setting" of admin/index.php, aka site_domain.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-03-07
An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulnerability in the third textbox (aka site logo) of "System setting->site setting" of admin/index.php, aka site_logo.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNetworkTomographySettings API function, as demonstrated by shell metacharacters in the tomography_ping_number field.
CVSS Score
9.8
EPSS Score
0.093
Published
2019-03-07
An issue was discovered on Motorola C1 and M2 devices with firmware 1.01 and 1.07 respectively. This issue is a Command Injection allowing a remote attacker to execute arbitrary code, and get a root shell. A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted /HNAP1 POST request. This occurs when any HNAP API function triggers a call to the system function with untrusted input from the request body for the SetNTPServerSettings API function, as demonstrated by shell metacharacters in the system_time_timezone field.
CVSS Score
9.8
EPSS Score
0.093
Published
2019-03-07