Security Vulnerabilities - CVEs Published In June 2019
The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-06-03
An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-06-02
Incorrect access control was discovered in the stdonato Dashboard plugin through 0.9.7 for GLPI, affecting df.php, issue.php, load.php, mem.php, traf.php, and uptime.php in front/sh.
CVSS Score
9.8
EPSS Score
0.004
Published
2019-06-02
There is an out-of-bounds read vulnerability in the function FlateStream::getChar() located at Stream.cc in Xpdf 4.01.01. It can, for example, be triggered by sending a crafted PDF document to the pdftoppm tool. It might allow an attacker to cause Information Disclosure or a denial of service.
CVSS Score
7.1
EPSS Score
0.003
Published
2019-06-02
Page 126