Security Vulnerabilities - CVEs Published In June 2019
Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions.
CVSS Score
8.8
EPSS Score
0.007
Published
2019-06-06
An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-06-06
In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.
CVSS Score
8.8
EPSS Score
0.002
Published
2019-06-06
In Rancher 2 through 2.2.3, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container.
CVSS Score
8.8
EPSS Score
0.005
Published
2019-06-06
X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-06-06
An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A lack of encryption in how the user login cookie (admin-auth) is stored on a victim's computer results in the admin password being discoverable by a local attacker, and usable to gain administrative access to the victim's router. The admin password is stored in base64 cleartext in an "admin-auth" cookie. An attacker sniffing the network at the time of login could acquire the router's admin password. Alternatively, gaining physical access to the victim's computer soon after an administrative login could result in compromise.
CVSS Score
7.8
EPSS Score
0.0
Published
2019-06-06
An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-06-06
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name field.
CVSS Score
5.4
EPSS Score
0.002
Published
2019-06-06
The Chartkick gem through 3.1.0 for Ruby allows XSS.
CVSS Score
4.7
EPSS Score
0.003
Published
2019-06-06
There is a use after free vulnerability on certain driver component in Huawei Mate10 smartphones versions earlier than ALP-AL00B 9.0.0.167(C00E85R2P20T8). An attacker tricks the user into installing a malicious application, which make the software to reference memory after it has been freed. Successful exploit could cause a denial of service condition.
CVSS Score
5.5
EPSS Score
0.001
Published
2019-06-06