Security Vulnerabilities - CVEs Published In May 2019
The EnGenius EWS660AP router with firmware 2.0.284 allows an attacker to execute arbitrary commands using the built-in ping and traceroute utilities by using different payloads and injecting multiple parameters. This vulnerability is fixed in a later firmware version.
CVSS Score
9.8
EPSS Score
0.025
Published
2019-05-09
njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-05-09
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c, because of njs_array_expand size mishandling.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-05-09
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c, because of njs_array_expand size mishandling.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-05-09
A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents containing hyperlinks pointing to the location of an executable on the target users file system. If the hyperlink is activated by the victim the executable target is unconditionally launched. Under Windows and macOS when processing a hyperlink target explicitly activated by the user there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally. This issue affects: All LibreOffice Windows and macOS versions prior to 6.1.6; LibreOffice Windows and macOS versions in the 6.2 series prior to 6.2.3.
CVSS Score
7.8
EPSS Score
0.002
Published
2019-05-09
The Rediffmail (aka com.rediff.mail.and) application 2.2.6 for Android has cleartext mail content in file storage, persisting after a logout.
CVSS Score
4.6
EPSS Score
0.0
Published
2019-05-09
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via cmdline.
CVSS Score
5.5
EPSS Score
0.0
Published
2019-05-09
cJSON before 1.7.11 allows out-of-bounds access, related to \x00 in a string literal.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-05-09
cJSON before 1.7.11 allows out-of-bounds access, related to multiline comments.
CVSS Score
9.8
EPSS Score
0.006
Published
2019-05-09
TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.
CVSS Score
7.5
EPSS Score
0.009
Published
2019-05-09