Security Vulnerabilities - CVEs Published In April 2019
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.
CVSS Score
6.5
EPSS Score
0.003
Published
2019-04-22
All versions of unity-scope-gdrive logs search terms to syslog.
CVSS Score
2.0
EPSS Score
0.002
Published
2019-04-22
Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Dash/CardCreator.js will execute any code found in place of a fallback image supplied by a scope.
CVSS Score
4.8
EPSS Score
0.001
Published
2019-04-22
UDM provides support for running commands after a download is completed, this is currently made use of for click package installation. This functionality was not restricted to unconfined applications. Before UDM version 1.2+16.04.20160408-0ubuntu1 any confined application could make use of the UDM C++ API to run arbitrary commands in an unconfined environment as the phablet user.
CVSS Score
6.7
EPSS Score
0.002
Published
2019-04-22
In all versions of Unity8 a running but not active application on a large-screen device could talk with Maliit and consume keyboard input.
CVSS Score
1.6
EPSS Score
0.002
Published
2019-04-22
In all versions of AppArmor mount rules are accidentally widened when compiled.
CVSS Score
3.9
EPSS Score
0.001
Published
2019-04-22
A malicious webview could install long-lived unload handlers that re-use an incognito BrowserContext that is queued for destruction in versions of Oxide before 1.18.3.
CVSS Score
1.8
EPSS Score
0.002
Published
2019-04-22
The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection. An attacker could have used the controls to remotely add a valid, but malicious, snap package, from the Store, potentially using system resources without permission from the legitimate administrator of the system.
CVSS Score
7.1
EPSS Score
0.003
Published
2019-04-22
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
CVSS Score
6.1
EPSS Score
0.012
Published
2019-04-22
A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service (application outage).
CVSS Score
8.1
EPSS Score
0.019
Published
2019-04-22