Security Vulnerabilities - CVEs Published In June 2019
out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site Scripting (XSS) via the name field.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-06-20
Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. An attacker with administrator privileges can leverage this to gain code execution within a Check Point Software Technologies signed binary, where under certain circumstances may cause the client to terminate.
CVSS Score
4.4
EPSS Score
0.005
Published
2019-06-20
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. This can cause loading of a previously placed executable with a name similar to the parts of the path, instead of the intended one.
CVSS Score
9.8
EPSS Score
0.005
Published
2019-06-20
An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block, arbitrary OS commands can be run on the server.
CVSS Score
9.8
EPSS Score
0.008
Published
2019-06-20
An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.
CVSS Score
4.8
EPSS Score
0.004
Published
2019-06-20
FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup variable on the /admin/config.php?display=disa&view=form page.
CVSS Score
4.3
EPSS Score
0.003
Published
2019-06-20
SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary SQL commands via the "username" GET parameter.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-06-20
Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (Firmware Version 3) allows remote attackers to execute arbitrary code via a malicious MediaServer request to /userRpm/MediaServerFoldersCfgRpm.htm.
CVSS Score
7.2
EPSS Score
0.437
Published
2019-06-20
YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html title parameter.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-06-20
b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-06-20