Security Vulnerabilities - CVEs Published In May 2019
AbanteCart 1.2.8 allows SQL Injection via the source_language parameter to admin/controller/pages/localisation/language.php and core/lib/language_manager.php, or via POST data to admin/controller/pages/tool/backup.php and admin/model/tool/backup.php.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-05-24
Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files, and then modules/upload/upload_main.php can be used for the upload itself.
CVSS Score
8.8
EPSS Score
0.001
Published
2019-05-24
In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-05-24
PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-05-24
The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resultant arbitrary code execution, via ExtendedFileManager/Classes/ExtendedFileManager.php because ExtendedFileManager can be used to rename the .htaccess file that blocks .php uploads.
CVSS Score
9.8
EPSS Score
0.01
Published
2019-05-24
Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php.
CVSS Score
8.8
EPSS Score
0.004
Published
2019-05-24
An issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XSS via the garlic_prefix parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-05-24
SQL injection exists in ADD Clicking MLM Software 1.0, Binary MLM Software 1.0, Level MLM Software 1.0, Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Investment MLM Software 1.0, Bidding MLM Software 1.0, Moneyorder MLM Software 1.0, Repurchase MLM Software 1.0, and Gift MLM Software 1.0 via the member/readmsg.php msg_id parameter, the member/tree.php pid parameter, or the member/downline.php m_id parameter.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-05-24
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Heidelberg Prinect Archiver v2013 release 1.0.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-05-24
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.
CVSS Score
6.1
EPSS Score
0.066
Published
2019-05-24