Security Vulnerabilities - CVEs Published In June 2019
An information leakage exists in Micro Focus NetIQ Self Service Password Reset Software all versions prior to version 4.4. The vulnerability could be exploited to expose sensitive information.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-06-24
An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Worx Express through 1.86, and Config+ through 1.86. A manipulated PC Worx or Config+ project file could lead to a Use-After-Free and remote code execution. The attacker needs to get access to an original PC Worx or Config+ project file to be able to manipulate it. After manipulation, the attacker needs to exchange the original file with the manipulated one on the application programming workstation.
CVSS Score
8.8
EPSS Score
0.02
Published
2019-06-24
The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs via the webmail/logs/sendmail URI.
CVSS Score
4.3
EPSS Score
0.002
Published
2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
CVSS Score
9.8
EPSS Score
0.048
Published
2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue
CVSS Score
9.8
EPSS Score
0.034
Published
2019-06-24
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVSS Score
7.1
EPSS Score
0.003
Published
2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVSS Score
7.8
EPSS Score
0.001
Published
2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
CVSS Score
7.4
EPSS Score
0.005
Published
2019-06-23
Denial of Service (DOS) in Dial Reference Source Code Used before June 18th, 2019.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-06-21
BlogEngine.NET 3.3.7 and earlier allows XXE via an apml file to syndication.axd.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-06-21