Security Vulnerabilities - CVEs Published In June 2019
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
CVSS Score
9.8
EPSS Score
0.107
Published
2019-06-05
Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injection.
CVSS Score
8.0
EPSS Score
0.016
Published
2019-06-05
Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure.
CVSS Score
5.7
EPSS Score
0.001
Published
2019-06-05
Gemalto DS3 Authentication Server 2.6.1-SP01 has Broken Access Control.
CVSS Score
5.7
EPSS Score
0.001
Published
2019-06-05
A Remote Unauthorized Access vulnerability was identified in HPE Smart Update Manager (SUM) earlier than version 8.3.5.
CVSS Score
9.8
EPSS Score
0.009
Published
2019-06-05
A SQL injection vulnerability in /client/api/json/v2/nfareports/compareReport in Zoho ManageEngine NetFlow Analyzer 12.3 allows attackers to execute arbitrary SQL commands via the DeviceID parameter.
CVSS Score
9.8
EPSS Score
0.224
Published
2019-06-05
A Path Traversal vulnerability in Controllers/LetsEncryptController.cs in LetsEncryptController in GrandNode 4.40 allows remote, unauthenticated attackers to retrieve arbitrary files on the web server via specially crafted LetsEncrypt/Index?fileName= HTTP requests. A patch for this issue was made on 2019-05-30 in GrandNode 4.40.
CVSS Score
7.5
EPSS Score
0.9
Published
2019-06-05
The HPE Nonstop Maintenance Entity family of products are vulnerable to local disclosure of information, such as system layout and configuration.
CVSS Score
5.1
EPSS Score
0.0
Published
2019-06-05
ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.20190228 allows SSRF via the aggregate plugin. The impact also includes reading local files via file: URIs.
CVSS Score
7.5
EPSS Score
0.003
Published
2019-06-05
Prima Systems FlexAir, Versions 2.4.9api3 and prior. The application allows the upload of arbitrary Python scripts when configuring the main central controller. These scripts can be immediately executed because of root code execution, not as a web server user, allowing an authenticated attacker to gain full system access.
CVSS Score
8.8
EPSS Score
0.23
Published
2019-06-05