Security Vulnerabilities - CVEs Published In June 2019
In NETGEAR ReadyNAS Surveillance before 1.4.3-17 x86 and before 1.1.4-7 ARM, $_GET['uploaddir'] is not escaped and is passed to system() through $tmp_upload_dir, leading to upgrade_handle.php?cmd=writeuploaddir remote command execution.
CVSS Score
8.4
EPSS Score
0.155
Published
2019-06-11
HooToo TripMate Titan HT-TM05 and HT-05 routers with firmware 2.000.022 and 2.000.082 allow remote command execution via shell metacharacters in the mac parameter of a protocol.csp?function=set&fname=security&opt=mac_table request.
CVSS Score
9.8
EPSS Score
0.341
Published
2019-06-11
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
CVSS Score
5.3
EPSS Score
0.193
Published
2019-06-11
All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by information leak vulnerability. Due to some interfaces can obtain the WebUI login password without login, an attacker can exploit the vulnerability to obtain sensitive information about the affected components.
CVSS Score
8.1
EPSS Score
0.003
Published
2019-06-11
All versions up to BD_R218V2.4 of ZTE MF920 product are impacted by command execution vulnerability. Due to some interfaces do not adequately verify parameters, an attacker can execute arbitrary commands through specific interfaces.
CVSS Score
9.8
EPSS Score
0.012
Published
2019-06-11
All versions up to V20.18.40.R7.B1of ZTE NetNumen DAP product have an XSS vulnerability. Due to the lack of correct validation of client data in WEB applications, which results in users being hijacked.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-06-11
An issue was discovered in Joomla! before 3.9.7. The update server URL of com_joomlaupdate can be manipulated by non Super-Admin users.
CVSS Score
6.5
EPSS Score
0.0
Published
2019-06-11
An issue was discovered in Joomla! before 3.9.7. The CSV export of com_actionslogs is vulnerable to CSV injection.
CVSS Score
9.8
EPSS Score
0.02
Published
2019-06-11
An issue was discovered in Joomla! before 3.9.7. The subform fieldtype does not sufficiently filter or validate input of subfields. This leads to XSS attack vectors.
CVSS Score
6.1
EPSS Score
0.001
Published
2019-06-11
All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE product are impacted by command injection vulnerability. Due to inadequate parameter verification, unauthorized users can take advantage of this vulnerability to control the user terminal system.
CVSS Score
9.0
EPSS Score
0.034
Published
2019-06-11