Security Vulnerabilities - CVEs Published In April 2019
A remote web page could inject arbitrary HTML code into the Oculus Browser UI, allowing an attacker to spoof UI and potentially execute code. This affects the Oculus Browser starting from version 5.2.7 until 5.7.11.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-04-29
Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacker to gain privileges via a malicious 'fzsftp' binary in the user's home directory.
CVSS Score
7.8
EPSS Score
0.007
Published
2019-04-29
When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
CVSS Score
5.9
EPSS Score
0.007
Published
2019-04-29
In Adblock Plus before 3.5.2, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.
CVSS Score
8.1
EPSS Score
0.009
Published
2019-04-29
In AdBlock before 3.45.0, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.
CVSS Score
8.1
EPSS Score
0.014
Published
2019-04-29
In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.
CVSS Score
9.0
EPSS Score
0.009
Published
2019-04-29
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.
CVSS Score
7.5
EPSS Score
0.016
Published
2019-04-29
esoTalk 1.0.0g4 has XSS via the PATH_INFO to the conversations/ URI.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-04-29
parse_string in cJSON.c in cJSON before 2016-10-02 has a buffer over-read, as demonstrated by a string that begins with a " character and ends with a \ character.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-04-29
The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-04-29