Security Vulnerabilities - CVEs Published In May 2019
The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.
CVSS Score
9.8
EPSS Score
0.097
Published
2019-05-09
PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 mishandles Phar stub parsing, which allows attackers to bypass a deserialization protection mechanism.
CVSS Score
9.8
EPSS Score
0.024
Published
2019-05-09
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault <=10.7 allows remote attackers to read arbitrary files or potentially bypass authentication via a crafted DTD in the SAML authentication system.
CVSS Score
9.8
EPSS Score
0.168
Published
2019-05-08
Symantec AV Engine, prior to 13.0.9r17, may be susceptible to an arbitrary file deletion issue, which is a type of vulnerability that could allow an attacker to delete files on the resident system without elevated privileges.
CVSS Score
5.5
EPSS Score
0.001
Published
2019-05-08
Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.
CVSS Score
6.1
EPSS Score
0.02
Published
2019-05-08
Subrion CMS 4.2.1 allows _core/en/contacts/ XSS via the name, email, or phone parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-05-08
An issue was discovered in SmtpTransport in CakePHP 3.7.6. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-05-08
In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-login service crashes when the client disconnects prematurely during the AUTH command.
CVSS Score
7.5
EPSS Score
0.015
Published
2019-05-08
Kaspersky Lab Antivirus Engine version before 04.apr.2019 has a heap-based buffer overflow vulnerability that potentially allow arbitrary code execution
CVSS Score
8.8
EPSS Score
0.025
Published
2019-05-08
In UpdateLoadElement of ic.cc, there is a possible out-of-bounds write due to type confusion. This could lead to remote code execution in the proxy auto-config with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9 Android ID: A-117607414
CVSS Score
9.8
EPSS Score
0.009
Published
2019-05-08