Security Vulnerabilities - CVEs Published In June 2019
Various Lexmark devices have a Buffer Overflow (issue 1 of 2).
CVSS Score
9.8
EPSS Score
0.005
Published
2019-06-28
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console could allow a remote attacker to obtain sensitive information when a specially crafted url causes a stack trace to be dumped. IBM X-Force ID: 160202.
CVSS Score
5.3
EPSS Score
0.004
Published
2019-06-28
Various Lexmark devices have a Buffer Overflow (issue 2 of 2).
CVSS Score
9.8
EPSS Score
0.005
Published
2019-06-28
RockOA 1.8.7 allows remote attackers to obtain sensitive information because the webmain/webmainAction.php publictreestore method constructs a SQL WHERE clause unsafely by using the pidfields and idfields parameters, aka background SQL injection.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-06-28
The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.
CVSS Score
7.5
EPSS Score
0.007
Published
2019-06-28
On Telus Actiontec WEB6000Q v1.1.02.22 devices, an attacker can login with root level access with the user "root" and password "admin" by using the enabled onboard UART headers.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-06-28
In Loopchain through 2.2.1.3, an attacker can escalate privileges from a low-privilege shell by changing the environment (aka injection in the DEFAULT_SCORE_HOST environment variable).
CVSS Score
8.8
EPSS Score
0.008
Published
2019-06-28
Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.
CVSS Score
7.5
EPSS Score
0.007
Published
2019-06-28
A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.
CVSS Score
6.5
EPSS Score
0.004
Published
2019-06-27
Application protection bypass vulnerability in McAfee Enterprise Security Manager (ESM) prior to 11.2.0 and prior to 10.4.0 allows unauthenticated user to impersonate system users via specially crafted parameters.
CVSS Score
8.3
EPSS Score
0.014
Published
2019-06-27